release: 0.35.3

fix(ldap): sync error if LDAP user collides with an existing user
fix: add option to manually select SMTP TLS method (#268 )
2025-12-06 05:02:58 +03:00 · 2025-02-25 20:34:37 +01:00 · 2025-02-25 20:34:13 +01:00 · 2025-02-25 19:10:20 +01:00 · 2025-02-24 09:40:48 +01:00 · 2025-02-24 09:40:14 +01:00
156 changed files with 6482 additions and 24687 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,4 +1,4 @@
-# See the README for more information: https://github.com/stonith404/pocket-id?tab=readme-ov-file#environment-variables
+# See the README for more information: https://github.com/pocket-id/pocket-id?tab=readme-ov-file#environment-variables
 PUBLIC_APP_URL=http://localhost
 TRUST_PROXY=false
 MAXMIND_LICENSE_KEY=
--- a/.github/workflows/build-and-push-docker-image.yml
+++ b/.github/workflows/build-and-push-docker-image.yml
@@ -6,7 +6,10 @@ on:

 jobs:
  build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04 # Using an older version because of https://github.com/actions/runner-images/issues/11471
+    permissions:
+      contents: read
+      packages: write      
    steps:
      - name: checkout code
        uses: actions/checkout@v3
@@ -17,7 +20,6 @@ jobs:
        with:
          images: |
            ghcr.io/${{ github.repository }}
-            ${{ github.repository }}
          tags: |
            type=semver,pattern={{version}},prefix=v
            type=semver,pattern={{major}}.{{minor}},prefix=v
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -1,51 +0,0 @@
-name: Deploy Docs
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "docs/**"
-
-jobs:
-  build:
-    name: Build Docusaurus
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: lts/*
-          cache: "npm"
-          cache-dependency-path: docs/package-lock.json
-
-      - name: Install dependencies
-        run: npm install
-        working-directory: ./docs
-
-      - name: Build website
-        run: npm run build
-        working-directory: ./docs
-
-      - name: Upload Build Artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: docs/build
-
-  deploy:
-    name: Deploy to GitHub Pages
-    needs: build
-
-    permissions:
-      pages: write
-      id-token: write
-
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-
-    runs-on: ubuntu-latest
-    steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -24,7 +24,7 @@ jobs:
      - name: Build and export
        uses: docker/build-push-action@v6
        with:
-          tags: stonith404/pocket-id:test
+          tags: pocket-id/pocket-id:test
          outputs: type=docker,dest=/tmp/docker-image.tar

      - name: Upload Docker image artifact
@@ -65,7 +65,7 @@ jobs:
          docker run -d --name pocket-id-sqlite \
          -p 80:80 \
          -e APP_ENV=test \
-          stonith404/pocket-id:test
+          pocket-id/pocket-id:test

      - name: Run Playwright tests
        working-directory: ./frontend
@@ -138,7 +138,7 @@ jobs:
          -e APP_ENV=test \
          -e DB_PROVIDER=postgres \
          -e POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@pocket-id-db:5432/pocket-id \
-          stonith404/pocket-id:test
+          pocket-id/pocket-id:test

      - name: Run Playwright tests
        working-directory: ./frontend
--- a/.gitignore
+++ b/.gitignore
@@ -38,11 +38,6 @@ data
 pocket-id-backend
 /backend/GeoLite2-City.mmdb

-# Generated files
-docs/build
-docs/.docusaurus
-docs/.cache-loader
-
 # Misc
 .DS_Store
 .env.local
--- a/.version
+++ b/.version
@@ -1 +1 @@
-0.28.0
+0.35.3
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,105 @@
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.2...v) (2025-02-25)
+
+
+### Bug Fixes
+
+* add option to manually select SMTP TLS method ([#268](https://github.com/pocket-id/pocket-id/issues/268)) ([01a9de0](https://github.com/pocket-id/pocket-id/commit/01a9de0b04512c62d0f223de33d711f93c49b9cc))
+* **ldap:** sync error if LDAP user collides with an existing user ([fde951b](https://github.com/pocket-id/pocket-id/commit/fde951b543281fedf9f602abae26b50881e3d157))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.1...v) (2025-02-24)
+
+
+### Bug Fixes
+
+* delete profile picture if user gets deleted ([9a167d4](https://github.com/pocket-id/pocket-id/commit/9a167d4076872e5e3e5d78d2a66ef7203ca5261b))
+* updating profile picture of other user updates own profile picture ([887c5e4](https://github.com/pocket-id/pocket-id/commit/887c5e462a50c8fb579ca6804f1a643d8af78fe8))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.0...v) (2025-02-22)
+
+
+### Bug Fixes
+
+* add validation that `PUBLIC_APP_URL` can't contain a path ([a6ae7ae](https://github.com/pocket-id/pocket-id/commit/a6ae7ae28713f7fc8018ae2aa7572986df3e1a5b))
+* binary profile picture can't be imported from LDAP ([840a672](https://github.com/pocket-id/pocket-id/commit/840a672fc35ca8476caf86d7efaba9d54bce86aa))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.34.0...v) (2025-02-19)
+
+
+### Features
+
+* add ability to upload a profile picture ([#244](https://github.com/pocket-id/pocket-id/issues/244)) ([652ee6a](https://github.com/pocket-id/pocket-id/commit/652ee6ad5d6c46f0d35c955ff7bb9bdac6240ca6))
+
+
+### Bug Fixes
+
+* app config strings starting with a number are parsed incorrectly ([816c198](https://github.com/pocket-id/pocket-id/commit/816c198a42c189cb1f2d94885d2e3623e47e2848))
+* emails do not get rendered correctly in Gmail ([dca9e7a](https://github.com/pocket-id/pocket-id/commit/dca9e7a11a3ba5d3b43a937f11cb9d16abad2db5))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.33.0...v) (2025-02-16)
+
+
+### Features
+
+* add LDAP group membership attribute ([#236](https://github.com/pocket-id/pocket-id/issues/236)) ([39b46e9](https://github.com/pocket-id/pocket-id/commit/39b46e99a9b930ea39cf640c3080530cfff5be6e))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.32.0...v) (2025-02-14)
+
+
+### Features
+
+* add end session endpoint ([#232](https://github.com/pocket-id/pocket-id/issues/232)) ([7550333](https://github.com/pocket-id/pocket-id/commit/7550333fe2ff6424f3168f63c5179d76767532fd))
+
+
+### Bug Fixes
+
+* alignment of OIDC client details ([c3980d3](https://github.com/pocket-id/pocket-id/commit/c3980d3d28a7158a4dc9369af41f185b891e485e))
+* layout of OIDC client details page on mobile ([3de1301](https://github.com/pocket-id/pocket-id/commit/3de1301fa84b3ab4fff4242d827c7794d44910f2))
+* show  "Sync Now" and "Test Email" button even if UI config is disabled ([4d0fff8](https://github.com/pocket-id/pocket-id/commit/4d0fff821e2245050ce631b4465969510466dfae))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.31.0...v) (2025-02-13)
+
+
+### Features
+
+* add ability to set custom Geolite DB URL ([2071d00](https://github.com/pocket-id/pocket-id/commit/2071d002fc5c3b5ff7a3fca6a5c99f5517196853))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.30.0...v) (2025-02-12)
+
+
+### Features
+
+* add ability to override the UI configuration with environment variables ([4e85842](https://github.com/pocket-id/pocket-id/commit/4e858420e9d9713e19f3b35c45c882403717f72f))
+* add warning for only having one passkey configured ([#220](https://github.com/pocket-id/pocket-id/issues/220)) ([39e403d](https://github.com/pocket-id/pocket-id/commit/39e403d00f3870f9e960427653a1d9697da27a6f))
+* display source in user and group table ([#225](https://github.com/pocket-id/pocket-id/issues/225)) ([9ed2adb](https://github.com/pocket-id/pocket-id/commit/9ed2adb0f8da13725fd9a4ef6a7798c377d13513))
+
+
+### Bug Fixes
+
+* user linking in ldap group sync ([#222](https://github.com/pocket-id/pocket-id/issues/222)) ([2d78349](https://github.com/pocket-id/pocket-id/commit/2d78349b381d7ca10f47d3c03cef685a576b1b49))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.29.0...v) (2025-02-08)
+
+
+### Features
+
+* add custom ldap search filters ([#216](https://github.com/pocket-id/pocket-id/issues/216)) ([626f87d](https://github.com/pocket-id/pocket-id/commit/626f87d59211f4129098b91dc1d020edb4aca692))
+* update host configuration to allow external access ([#218](https://github.com/pocket-id/pocket-id/issues/218)) ([bea1158](https://github.com/pocket-id/pocket-id/commit/bea115866fd8e4b15d3281c422d2fb72312758b1))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.28.1...v) (2025-02-05)
+
+
+### Features
+
+* add JSON support in custom claims ([15cde6a](https://github.com/pocket-id/pocket-id/commit/15cde6ac66bc857ac28df545a37c1f4341977595))
+* add option to disable Caddy in the Docker container ([e864d5d](https://github.com/pocket-id/pocket-id/commit/e864d5dcbff1ef28dc6bf120e4503093a308c5c8))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.28.0...v) (2025-02-04)
+
+
+### Bug Fixes
+
+* don't return error page if version info fetching failed ([d06257e](https://github.com/stonith404/pocket-id/commit/d06257ec9b5e46e25e40c174b4bef02dca0a1ea3))
+
 ## [](https://github.com/stonith404/pocket-id/compare/v0.27.2...v) (2025-02-03)


--- a/backend/.env.example
+++ b/backend/.env.example
@@ -7,4 +7,4 @@ SQLITE_DB_PATH=data/pocket-id.db
 POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@localhost:5432/pocket-id
 UPLOAD_PATH=data/uploads
 PORT=8080
-HOST=localhost
+HOST=0.0.0.0
--- a/backend/cmd/main.go
+++ b/backend/cmd/main.go
@@ -1,7 +1,7 @@
 package main

 import (
-	"github.com/stonith404/pocket-id/backend/internal/bootstrap"
+	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 )

 func main() {
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,9 +1,10 @@
-module github.com/stonith404/pocket-id/backend
+module github.com/pocket-id/pocket-id/backend

 go 1.23.1

 require (
 	github.com/caarlos0/env/v11 v11.3.1
+	github.com/disintegration/imaging v1.6.2
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/gin-gonic/gin v1.10.0
 	github.com/go-co-op/gocron/v2 v2.15.0
@@ -17,6 +18,7 @@ require (
 	github.com/mileusna/useragent v1.3.5
 	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2
 	golang.org/x/crypto v0.32.0
+	golang.org/x/image v0.24.0
 	golang.org/x/time v0.9.0
 	gorm.io/driver/postgres v1.5.11
 	gorm.io/driver/sqlite v1.5.7
@@ -64,9 +66,9 @@ require (
 	golang.org/x/arch v0.13.0 // indirect
 	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
 	golang.org/x/net v0.34.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
 	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -22,6 +22,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dhui/dktest v0.4.4 h1:+I4s6JRE1yGuqflzwqG+aIaMdgXIorCf5P98JnaAWa8=
 github.com/dhui/dktest v0.4.4/go.mod h1:4+22R4lgsdAXrDyaH4Nqx2JEz2hLp49MqQmm9HLCQhM=
+github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
+github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
@@ -211,6 +213,9 @@ golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
 golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
+golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.24.0 h1:AN7zRgVsbvmTfNyqIbbOraYL8mSwcKncEj8ofjgzcMQ=
+golang.org/x/image v0.24.0/go.mod h1:4b/ITuLfqYq1hqZcjofwctIhi7sZh2WaCjvsBNjjya8=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -235,8 +240,9 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -268,8 +274,9 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/backend/internal/bootstrap/application_images_bootstrap.go
+++ b/backend/internal/bootstrap/application_images_bootstrap.go
@@ -1,13 +1,14 @@
 package bootstrap

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"github.com/stonith404/pocket-id/backend/resources"
 	"log"
 	"os"
 	"path"
 	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/resources"
 )

 // initApplicationImages copies the images from the images directory to the application-images directory
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -2,7 +2,7 @@ package bootstrap

 import (
 	_ "github.com/golang-migrate/migrate/v4/source/file"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 func Bootstrap() {
--- a/backend/internal/bootstrap/db_bootstrap.go
+++ b/backend/internal/bootstrap/db_bootstrap.go
@@ -3,20 +3,21 @@ package bootstrap
 import (
 	"errors"
 	"fmt"
+	"log"
+	"os"
+	"time"
+
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database"
 	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
 	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/resources"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/resources"
 	"gorm.io/driver/postgres"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
-	"log"
-	"os"
-	"time"
 )

 func newDatabase() (db *gorm.DB) {
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -5,11 +5,11 @@ import (
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/controller"
-	"github.com/stonith404/pocket-id/backend/internal/job"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/controller"
+	"github.com/pocket-id/pocket-id/backend/internal/job"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
 )
@@ -41,7 +41,7 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	userService := service.NewUserService(db, jwtService, auditLogService, emailService, appConfigService)
 	customClaimService := service.NewCustomClaimService(db)
 	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
-	testService := service.NewTestService(db, appConfigService)
+	testService := service.NewTestService(db, appConfigService, jwtService)
 	userGroupService := service.NewUserGroupService(db, appConfigService)
 	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)

--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -2,6 +2,7 @@ package common

 import (
 	"log"
+	"net/url"

 	"github.com/caarlos0/env/v11"
 	_ "github.com/joho/godotenv/autoload"
@@ -10,8 +11,9 @@ import (
 type DbProvider string

 const (
-	DbProviderSqlite   DbProvider = "sqlite"
-	DbProviderPostgres DbProvider = "postgres"
+	DbProviderSqlite      DbProvider = "sqlite"
+	DbProviderPostgres    DbProvider = "postgres"
+	MaxMindGeoLiteCityUrl string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
 )

 type EnvConfigSchema struct {
@@ -25,6 +27,8 @@ type EnvConfigSchema struct {
 	Host                     string     `env:"HOST"`
 	MaxMindLicenseKey        string     `env:"MAXMIND_LICENSE_KEY"`
 	GeoLiteDBPath            string     `env:"GEOLITE_DB_PATH"`
+	GeoLiteDBUrl             string     `env:"GEOLITE_DB_URL"`
+	UiConfigDisabled         bool       `env:"PUBLIC_UI_CONFIG_DISABLED"`
 }

 var EnvConfig = &EnvConfigSchema{
@@ -35,9 +39,11 @@ var EnvConfig = &EnvConfigSchema{
 	UploadPath:               "data/uploads",
 	AppURL:                   "http://localhost",
 	Port:                     "8080",
-	Host:                     "localhost",
+	Host:                     "0.0.0.0",
 	MaxMindLicenseKey:        "",
 	GeoLiteDBPath:            "data/GeoLite2-City.mmdb",
+	GeoLiteDBUrl:             MaxMindGeoLiteCityUrl,
+	UiConfigDisabled:         false,
 }

 func init() {
@@ -56,4 +62,12 @@ func init() {
 	if EnvConfig.DbProvider == DbProviderSqlite && EnvConfig.SqliteDBPath == "" {
 		log.Fatal("Missing SQLITE_DB_PATH environment variable")
 	}
+
+	parsedAppUrl, err := url.Parse(EnvConfig.AppURL)
+	if err != nil {
+		log.Fatal("PUBLIC_APP_URL is not a valid URL")
+	}
+	if parsedAppUrl.Path != "" {
+		log.Fatal("PUBLIC_APP_URL must not contain a path")
+	}
 }
--- a/backend/internal/common/errors.go
+++ b/backend/internal/common/errors.go
@@ -31,6 +31,13 @@ type TokenInvalidOrExpiredError struct{}
 func (e *TokenInvalidOrExpiredError) Error() string       { return "token is invalid or expired" }
 func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return 400 }

+type TokenInvalidError struct{}
+
+func (e *TokenInvalidError) Error() string {
+	return "Token is invalid"
+}
+func (e *TokenInvalidError) HttpStatusCode() int { return 400 }
+
 type OidcMissingAuthorizationError struct{}

 func (e *OidcMissingAuthorizationError) Error() string       { return "missing authorization" }
@@ -182,5 +189,33 @@ type OidcAccessDeniedError struct{}
 func (e *OidcAccessDeniedError) Error() string {
 	return "You're not allowed to access this service"
 }
-
 func (e *OidcAccessDeniedError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcClientIdNotMatchingError struct{}
+
+func (e *OidcClientIdNotMatchingError) Error() string {
+	return "Client id in request doesn't match client id in token"
+}
+func (e *OidcClientIdNotMatchingError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcNoCallbackURLError struct{}
+
+func (e *OidcNoCallbackURLError) Error() string {
+	return "No callback URL provided"
+}
+func (e *OidcNoCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type UiConfigDisabledError struct{}
+
+func (e *UiConfigDisabledError) Error() string {
+	return "The configuration can't be changed since the UI configuration is disabled"
+}
+func (e *UiConfigDisabledError) HttpStatusCode() int { return http.StatusForbidden }
+
+type InvalidUUIDError struct{}
+
+func (e *InvalidUUIDError) Error() string {
+	return "Invalid UUID"
+}
+
+type InvalidEmailError struct{}
--- a/backend/internal/controller/app_config_controller.go
+++ b/backend/internal/controller/app_config_controller.go
@@ -2,13 +2,14 @@ package controller

 import (
 	"fmt"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 func NewAppConfigController(
--- a/backend/internal/controller/audit_log_controller.go
+++ b/backend/internal/controller/audit_log_controller.go
@@ -1,13 +1,14 @@
 package controller

 import (
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"

+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, jwtAuthMiddleware *middleware.JwtAuthMiddleware) {
--- a/backend/internal/controller/custom_claim_controller.go
+++ b/backend/internal/controller/custom_claim_controller.go
@@ -1,11 +1,12 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 func NewCustomClaimController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, customClaimService *service.CustomClaimService) {
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -1,13 +1,18 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+	"log"
 	"net/http"
+	"net/url"
 	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 func NewOidcController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, fileSizeLimitMiddleware *middleware.FileSizeLimitMiddleware, oidcService *service.OidcService, jwtService *service.JwtService) {
@@ -18,6 +23,8 @@ func NewOidcController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.Jwt

 	group.POST("/oidc/token", oc.createTokensHandler)
 	group.GET("/oidc/userinfo", oc.userInfoHandler)
+	group.POST("/oidc/end-session", oc.EndSessionHandler)
+	group.GET("/oidc/end-session", oc.EndSessionHandler)

 	group.GET("/oidc/clients", jwtAuthMiddleware.Add(true), oc.listClientsHandler)
 	group.POST("/oidc/clients", jwtAuthMiddleware.Add(true), oc.createClientHandler)
@@ -121,6 +128,44 @@ func (oc *OidcController) userInfoHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, claims)
 }

+func (oc *OidcController) EndSessionHandler(c *gin.Context) {
+	var input dto.OidcLogoutDto
+
+	// Bind query parameters to the struct
+	if c.Request.Method == http.MethodGet {
+		if err := c.ShouldBindQuery(&input); err != nil {
+			c.Error(err)
+			return
+		}
+	} else if c.Request.Method == http.MethodPost {
+		// Bind form parameters to the struct
+		if err := c.ShouldBind(&input); err != nil {
+			c.Error(err)
+			return
+		}
+	}
+
+	callbackURL, err := oc.oidcService.ValidateEndSession(input, c.GetString("userID"))
+	if err != nil {
+		// If the validation fails, the user has to confirm the logout manually and doesn't get redirected
+		log.Printf("Error getting logout callback URL, the user has to confirm the logout manually: %v", err)
+		c.Redirect(http.StatusFound, common.EnvConfig.AppURL+"/logout")
+		return
+	}
+
+	// The validation was successful, so we can log out and redirect the user to the callback URL without confirmation
+	cookie.AddAccessTokenCookie(c, 0, "")
+
+	logoutCallbackURL, _ := url.Parse(callbackURL)
+	if input.State != "" {
+		q := logoutCallbackURL.Query()
+		q.Set("state", input.State)
+		logoutCallbackURL.RawQuery = q.Encode()
+	}
+
+	c.Redirect(http.StatusFound, logoutCallbackURL.String())
+}
+
 func (oc *OidcController) getClientHandler(c *gin.Context) {
 	clientId := c.Param("id")
 	client, err := oc.oidcService.GetClient(clientId)
--- a/backend/internal/controller/test_controller.go
+++ b/backend/internal/controller/test_controller.go
@@ -1,9 +1,10 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 func NewTestController(group *gin.RouterGroup, testService *service.TestService) {
@@ -37,5 +38,7 @@ func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
 		return
 	}

+	tc.TestService.SetJWTKeys()
+
 	c.Status(http.StatusNoContent)
 }
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -1,17 +1,18 @@
 package controller

 import (
-	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"net/http"
 	"strconv"
 	"time"

+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"golang.org/x/time/rate"
 )

@@ -29,6 +30,11 @@ func NewUserController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.Jwt
 	group.PUT("/users/me", jwtAuthMiddleware.Add(false), uc.updateCurrentUserHandler)
 	group.DELETE("/users/:id", jwtAuthMiddleware.Add(true), uc.deleteUserHandler)

+	group.GET("/users/:id/profile-picture.png", uc.getUserProfilePictureHandler)
+	group.GET("/users/me/profile-picture.png", jwtAuthMiddleware.Add(false), uc.getCurrentUserProfilePictureHandler)
+	group.PUT("/users/:id/profile-picture", jwtAuthMiddleware.Add(true), uc.updateUserProfilePictureHandler)
+	group.PUT("/users/me/profile-picture", jwtAuthMiddleware.Add(false), uc.updateUserProfilePictureHandler)
+
 	group.POST("/users/:id/one-time-access-token", jwtAuthMiddleware.Add(true), uc.createOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
@@ -141,6 +147,74 @@ func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
 	uc.updateUser(c, true)
 }

+func (uc *UserController) getUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	picture, size, err := uc.userService.GetProfilePicture(userID)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.DataFromReader(http.StatusOK, size, "image/png", picture, nil)
+}
+
+func (uc *UserController) getCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	picture, size, err := uc.userService.GetProfilePicture(userID)
+	if err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.DataFromReader(http.StatusOK, size, "image/png", picture, nil)
+}
+
+func (uc *UserController) updateUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+	fileHeader, err := c.FormFile("file")
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	file, err := fileHeader.Open()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (uc *UserController) updateCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	fileHeader, err := c.FormFile("file")
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	file, err := fileHeader.Open()
+	if err != nil {
+		c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+		c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
 func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context) {
 	var input dto.OneTimeAccessTokenCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
--- a/backend/internal/controller/user_group_controller.go
+++ b/backend/internal/controller/user_group_controller.go
@@ -1,12 +1,13 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 func NewUserGroupController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, userGroupService *service.UserGroupService) {
--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -1,17 +1,18 @@
 package controller

 import (
-	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"net/http"
 	"strconv"
 	"time"

+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"golang.org/x/time/rate"
 )

--- a/backend/internal/controller/well_known_controller.go
+++ b/backend/internal/controller/well_known_controller.go
@@ -1,10 +1,11 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 func NewWellKnownController(group *gin.RouterGroup, jwtService *service.JwtService) {
@@ -34,9 +35,10 @@ func (wkc *WellKnownController) openIDConfigurationHandler(c *gin.Context) {
 		"authorization_endpoint":                appUrl + "/authorize",
 		"token_endpoint":                        appUrl + "/api/oidc/token",
 		"userinfo_endpoint":                     appUrl + "/api/oidc/userinfo",
+		"end_session_endpoint":                  appUrl + "/api/oidc/end-session",
 		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
 		"scopes_supported":                      []string{"openid", "profile", "email"},
-		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username"},
+		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username", "picture"},
 		"response_types_supported":              []string{"code", "id_token"},
 		"subject_types_supported":               []string{"public"},
 		"id_token_signing_alg_values_supported": []string{"RS256"},
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -21,19 +21,23 @@ type AppConfigUpdateDto struct {
 	SmtpFrom                           string `json:"smtpFrom" binding:"omitempty,email"`
 	SmtpUser                           string `json:"smtpUser"`
 	SmtpPassword                       string `json:"smtpPassword"`
-	SmtpTls                            string `json:"smtpTls"`
+	SmtpTls                            string `json:"smtpTls" binding:"required,oneof=none starttls tls"`
 	SmtpSkipCertVerify                 string `json:"smtpSkipCertVerify"`
 	LdapEnabled                        string `json:"ldapEnabled" binding:"required"`
 	LdapUrl                            string `json:"ldapUrl"`
 	LdapBindDn                         string `json:"ldapBindDn"`
 	LdapBindPassword                   string `json:"ldapBindPassword"`
 	LdapBase                           string `json:"ldapBase"`
+	LdapUserSearchFilter               string `json:"ldapUserSearchFilter"`
+	LdapUserGroupSearchFilter          string `json:"ldapUserGroupSearchFilter"`
 	LdapSkipCertVerify                 string `json:"ldapSkipCertVerify"`
 	LdapAttributeUserUniqueIdentifier  string `json:"ldapAttributeUserUniqueIdentifier"`
 	LdapAttributeUserUsername          string `json:"ldapAttributeUserUsername"`
 	LdapAttributeUserEmail             string `json:"ldapAttributeUserEmail"`
 	LdapAttributeUserFirstName         string `json:"ldapAttributeUserFirstName"`
 	LdapAttributeUserLastName          string `json:"ldapAttributeUserLastName"`
+	LdapAttributeUserProfilePicture    string `json:"ldapAttributeUserProfilePicture"`
+	LdapAttributeGroupMember           string `json:"ldapAttributeGroupMember"`
 	LdapAttributeGroupUniqueIdentifier string `json:"ldapAttributeGroupUniqueIdentifier"`
 	LdapAttributeGroupName             string `json:"ldapAttributeGroupName"`
 	LdapAttributeAdminGroup            string `json:"ldapAttributeAdminGroup"`
--- a/backend/internal/dto/audit_log_dto.go
+++ b/backend/internal/dto/audit_log_dto.go
@@ -1,8 +1,8 @@
 package dto

 import (
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type AuditLogDto struct {
--- a/backend/internal/dto/dto_mapper.go
+++ b/backend/internal/dto/dto_mapper.go
@@ -2,9 +2,10 @@ package dto

 import (
 	"errors"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
 	"reflect"
 	"time"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 // MapStructList maps a list of source structs to a list of destination structs
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -8,24 +8,27 @@ type PublicOidcClientDto struct {

 type OidcClientDto struct {
 	PublicOidcClientDto
-	CallbackURLs []string `json:"callbackURLs"`
-	IsPublic     bool     `json:"isPublic"`
-	PkceEnabled  bool     `json:"pkceEnabled"`
+	CallbackURLs       []string `json:"callbackURLs"`
+	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
+	IsPublic           bool     `json:"isPublic"`
+	PkceEnabled        bool     `json:"pkceEnabled"`
 }

 type OidcClientWithAllowedUserGroupsDto struct {
 	PublicOidcClientDto
-	CallbackURLs      []string                    `json:"callbackURLs"`
-	IsPublic          bool                        `json:"isPublic"`
-	PkceEnabled       bool                        `json:"pkceEnabled"`
-	AllowedUserGroups []UserGroupDtoWithUserCount `json:"allowedUserGroups"`
+	CallbackURLs       []string                    `json:"callbackURLs"`
+	LogoutCallbackURLs []string                    `json:"logoutCallbackURLs"`
+	IsPublic           bool                        `json:"isPublic"`
+	PkceEnabled        bool                        `json:"pkceEnabled"`
+	AllowedUserGroups  []UserGroupDtoWithUserCount `json:"allowedUserGroups"`
 }

 type OidcClientCreateDto struct {
-	Name         string   `json:"name" binding:"required,max=50"`
-	CallbackURLs []string `json:"callbackURLs" binding:"required"`
-	IsPublic     bool     `json:"isPublic"`
-	PkceEnabled  bool     `json:"pkceEnabled"`
+	Name               string   `json:"name" binding:"required,max=50"`
+	CallbackURLs       []string `json:"callbackURLs" binding:"required"`
+	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
+	IsPublic           bool     `json:"isPublic"`
+	PkceEnabled        bool     `json:"pkceEnabled"`
 }

 type AuthorizeOidcClientRequestDto struct {
@@ -58,3 +61,10 @@ type OidcCreateTokensDto struct {
 type OidcUpdateAllowedUserGroupsDto struct {
 	UserGroupIDs []string `json:"userGroupIds" binding:"required"`
 }
+
+type OidcLogoutDto struct {
+	IdTokenHint           string `form:"id_token_hint"`
+	ClientId              string `form:"client_id"`
+	PostLogoutRedirectUri string `form:"post_logout_redirect_uri"`
+	State                 string `form:"state"`
+}
--- a/backend/internal/dto/user_group_dto.go
+++ b/backend/internal/dto/user_group_dto.go
@@ -1,7 +1,7 @@
 package dto

 import (
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type UserGroupDtoWithUsers struct {
--- a/backend/internal/dto/webauthn_dto.go
+++ b/backend/internal/dto/webauthn_dto.go
@@ -2,7 +2,7 @@ package dto

 import (
 	"github.com/go-webauthn/webauthn/protocol"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type WebauthnCredentialDto struct {
--- a/backend/internal/job/db_cleanup.go
+++ b/backend/internal/job/db_cleanup.go
@@ -1,13 +1,14 @@
 package job

 import (
-	"github.com/go-co-op/gocron/v2"
-	"github.com/google/uuid"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"gorm.io/gorm"
 	"log"
 	"time"
+
+	"github.com/go-co-op/gocron/v2"
+	"github.com/google/uuid"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
 )

 func RegisterDbCleanupJobs(db *gorm.DB) {
--- a/backend/internal/job/ldap_job.go
+++ b/backend/internal/job/ldap_job.go
@@ -4,7 +4,7 @@ import (
 	"log"

 	"github.com/go-co-op/gocron/v2"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 type LdapJobs struct {
--- a/backend/internal/middleware/cors.go
+++ b/backend/internal/middleware/cors.go
@@ -2,7 +2,7 @@ package middleware

 import (
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 type CorsMiddleware struct{}
--- a/backend/internal/middleware/error_handler.go
+++ b/backend/internal/middleware/error_handler.go
@@ -3,13 +3,14 @@ package middleware
 import (
 	"errors"
 	"fmt"
+	"net/http"
+	"strings"
+
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
 	"github.com/go-playground/validator/v10"
-	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"gorm.io/gorm"
-	"net/http"
-	"strings"
 )

 type ErrorHandlerMiddleware struct{}
--- a/backend/internal/middleware/file_size_limit.go
+++ b/backend/internal/middleware/file_size_limit.go
@@ -2,9 +2,10 @@ package middleware

 import (
 	"fmt"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 type FileSizeLimitMiddleware struct{}
--- a/backend/internal/middleware/jwt_auth.go
+++ b/backend/internal/middleware/jwt_auth.go
@@ -1,11 +1,12 @@
 package middleware

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils/cookie"
 	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
 )

 type JwtAuthMiddleware struct {
--- a/backend/internal/middleware/rate_limit.go
+++ b/backend/internal/middleware/rate_limit.go
@@ -1,10 +1,11 @@
 package middleware

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"sync"
 	"time"

+	"github.com/pocket-id/pocket-id/backend/internal/common"
+
 	"github.com/gin-gonic/gin"
 	"golang.org/x/time/rate"
 )
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -35,12 +35,16 @@ type AppConfig struct {
 	LdapBindDn                         AppConfigVariable
 	LdapBindPassword                   AppConfigVariable
 	LdapBase                           AppConfigVariable
+	LdapUserSearchFilter               AppConfigVariable
+	LdapUserGroupSearchFilter          AppConfigVariable
 	LdapSkipCertVerify                 AppConfigVariable
 	LdapAttributeUserUniqueIdentifier  AppConfigVariable
 	LdapAttributeUserUsername          AppConfigVariable
 	LdapAttributeUserEmail             AppConfigVariable
 	LdapAttributeUserFirstName         AppConfigVariable
 	LdapAttributeUserLastName          AppConfigVariable
+	LdapAttributeUserProfilePicture    AppConfigVariable
+	LdapAttributeGroupMember           AppConfigVariable
 	LdapAttributeGroupUniqueIdentifier AppConfigVariable
 	LdapAttributeGroupName             AppConfigVariable
 	LdapAttributeAdminGroup            AppConfigVariable
--- a/backend/internal/model/base.go
+++ b/backend/internal/model/base.go
@@ -1,10 +1,11 @@
 package model

 import (
-	"github.com/google/uuid"
-	model "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"gorm.io/gorm"
 	"time"
+
+	"github.com/google/uuid"
+	model "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
 )

 // Base contains common columns for all tables.
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -4,7 +4,8 @@ import (
 	"database/sql/driver"
 	"encoding/json"
 	"errors"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"gorm.io/gorm"
 )

@@ -36,13 +37,14 @@ type OidcAuthorizationCode struct {
 type OidcClient struct {
 	Base

-	Name         string `sortable:"true"`
-	Secret       string
-	CallbackURLs CallbackURLs
-	ImageType    *string
-	HasLogo      bool `gorm:"-"`
-	IsPublic     bool
-	PkceEnabled  bool
+	Name               string `sortable:"true"`
+	Secret             string
+	CallbackURLs       UrlList
+	LogoutCallbackURLs UrlList
+	ImageType          *string
+	HasLogo            bool `gorm:"-"`
+	IsPublic           bool
+	PkceEnabled        bool

 	AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
 	CreatedByID       string
@@ -55,9 +57,9 @@ func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
 	return nil
 }

-type CallbackURLs []string
+type UrlList []string

-func (cu *CallbackURLs) Scan(value interface{}) error {
+func (cu *UrlList) Scan(value interface{}) error {
 	if v, ok := value.([]byte); ok {
 		return json.Unmarshal(v, cu)
 	} else {
@@ -65,6 +67,6 @@ func (cu *CallbackURLs) Scan(value interface{}) error {
 	}
 }

-func (cu CallbackURLs) Value() (driver.Value, error) {
+func (cu UrlList) Value() (driver.Value, error) {
 	return json.Marshal(cu)
 }
--- a/backend/internal/model/types/date_time.go
+++ b/backend/internal/model/types/date_time.go
@@ -2,8 +2,9 @@ package datatype

 import (
 	"database/sql/driver"
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 // DateTime custom type for time.Time to store date as unix timestamp for sqlite and as date for postgres
--- a/backend/internal/model/user.go
+++ b/backend/internal/model/user.go
@@ -3,7 +3,7 @@ package model
 import (
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type User struct {
--- a/backend/internal/model/webauthn.go
+++ b/backend/internal/model/webauthn.go
@@ -4,9 +4,10 @@ import (
 	"database/sql/driver"
 	"encoding/json"
 	"errors"
-	"github.com/go-webauthn/webauthn/protocol"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
 	"time"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type WebauthnSession struct {
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -7,10 +7,10 @@ import (
 	"os"
 	"reflect"

-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 )

@@ -27,6 +27,7 @@ func NewAppConfigService(db *gorm.DB) *AppConfigService {
 	if err := service.InitDbConfig(); err != nil {
 		log.Fatalf("Failed to initialize app config service: %v", err)
 	}
+
 	return service
 }

@@ -96,8 +97,8 @@ var defaultDbConfig = model.AppConfig{
 	},
 	SmtpTls: model.AppConfigVariable{
 		Key:          "smtpTls",
-		Type:         "bool",
-		DefaultValue: "true",
+		Type:         "string",
+		DefaultValue: "none",
 	},
 	SmtpSkipCertVerify: model.AppConfigVariable{
 		Key:          "smtpSkipCertVerify",
@@ -138,6 +139,16 @@ var defaultDbConfig = model.AppConfig{
 		Key:  "ldapBase",
 		Type: "string",
 	},
+	LdapUserSearchFilter: model.AppConfigVariable{
+		Key:          "ldapUserSearchFilter",
+		Type:         "string",
+		DefaultValue: "(objectClass=person)",
+	},
+	LdapUserGroupSearchFilter: model.AppConfigVariable{
+		Key:          "ldapUserGroupSearchFilter",
+		Type:         "string",
+		DefaultValue: "(objectClass=groupOfNames)",
+	},
 	LdapSkipCertVerify: model.AppConfigVariable{
 		Key:          "ldapSkipCertVerify",
 		Type:         "bool",
@@ -163,6 +174,15 @@ var defaultDbConfig = model.AppConfig{
 		Key:  "ldapAttributeUserLastName",
 		Type: "string",
 	},
+	LdapAttributeUserProfilePicture: model.AppConfigVariable{
+		Key:  "ldapAttributeUserProfilePicture",
+		Type: "string",
+	},
+	LdapAttributeGroupMember: model.AppConfigVariable{
+		Key:          "ldapAttributeGroupMember",
+		Type:         "string",
+		DefaultValue: "member",
+	},
 	LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{
 		Key:  "ldapAttributeGroupUniqueIdentifier",
 		Type: "string",
@@ -178,12 +198,15 @@ var defaultDbConfig = model.AppConfig{
 }

 func (s *AppConfigService) UpdateAppConfig(input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
-	var savedConfigVariables []model.AppConfigVariable
+	if common.EnvConfig.UiConfigDisabled {
+		return nil, &common.UiConfigDisabledError{}
+	}

 	tx := s.db.Begin()
 	rt := reflect.ValueOf(input).Type()
 	rv := reflect.ValueOf(input)

+	var savedConfigVariables []model.AppConfigVariable
 	for i := 0; i < rt.NumField(); i++ {
 		field := rt.Field(i)
 		key := field.Tag.Get("json")
@@ -244,9 +267,13 @@ func (s *AppConfigService) ListAppConfig(showAll bool) ([]model.AppConfigVariabl
 		return nil, err
 	}

-	// Set the value to the default value if it is empty
 	for i := range configuration {
-		if configuration[i].Value == "" && configuration[i].DefaultValue != "" {
+		if common.EnvConfig.UiConfigDisabled {
+			// Set the value to the environment variable if the UI config is disabled
+			configuration[i].Value = s.getConfigVariableFromEnvironmentVariable(configuration[i].Key, configuration[i].DefaultValue)
+
+		} else if configuration[i].Value == "" && configuration[i].DefaultValue != "" {
+			// Set the value to the default value if it is empty
 			configuration[i].Value = configuration[i].DefaultValue
 		}
 	}
@@ -345,12 +372,25 @@ func (s *AppConfigService) LoadDbConfigFromDb() error {
 			return err
 		}

-		if storedConfigVar.Value == "" && storedConfigVar.DefaultValue != "" {
+		if common.EnvConfig.UiConfigDisabled {
+			storedConfigVar.Value = s.getConfigVariableFromEnvironmentVariable(currentConfigVar.Key, storedConfigVar.DefaultValue)
+		} else if storedConfigVar.Value == "" && storedConfigVar.DefaultValue != "" {
 			storedConfigVar.Value = storedConfigVar.DefaultValue
 		}

 		dbConfigField.Set(reflect.ValueOf(storedConfigVar))
+
 	}

 	return nil
 }
+
+func (s *AppConfigService) getConfigVariableFromEnvironmentVariable(key, fallbackValue string) string {
+	environmentVariableName := utils.CamelCaseToScreamingSnakeCase(key)
+
+	if value, exists := os.LookupEnv(environmentVariableName); exists {
+		return value
+	}
+
+	return fallbackValue
+}
--- a/backend/internal/service/audit_log_service.go
+++ b/backend/internal/service/audit_log_service.go
@@ -1,12 +1,13 @@
 package service

 import (
-	userAgentParser "github.com/mileusna/useragent"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
 	"log"
+
+	userAgentParser "github.com/mileusna/useragent"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
 )

 type AuditLogService struct {
--- a/backend/internal/service/custom_claim_service.go
+++ b/backend/internal/service/custom_claim_service.go
@@ -1,9 +1,9 @@
 package service

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
 )

--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -14,9 +14,9 @@ import (
 	ttemplate "text/template"
 	"time"

-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 	"gorm.io/gorm"
 )

@@ -115,18 +115,22 @@ func (srv *EmailService) getSmtpClient() (client *smtp.Client, err error) {
 	}

 	// Connect to the SMTP server
-	if srv.appConfigService.DbConfig.SmtpTls.Value == "false" {
+	// Connect to the SMTP server based on TLS setting
+	switch srv.appConfigService.DbConfig.SmtpTls.Value {
+	case "none":
 		client, err = srv.connectToSmtpServer(smtpAddress)
-	} else if port == "465" {
+	case "tls":
 		client, err = srv.connectToSmtpServerUsingImplicitTLS(
 			smtpAddress,
 			tlsConfig,
 		)
-	} else {
+	case "starttls":
 		client, err = srv.connectToSmtpServerUsingStartTLS(
 			smtpAddress,
 			tlsConfig,
 		)
+	default:
+		return nil, fmt.Errorf("invalid SMTP TLS setting: %s", srv.appConfigService.DbConfig.SmtpTls.Value)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
--- a/backend/internal/service/email_service_templates.go
+++ b/backend/internal/service/email_service_templates.go
@@ -2,8 +2,9 @@ package service

 import (
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 )

 /**
--- a/backend/internal/service/geolite_service.go
+++ b/backend/internal/service/geolite_service.go
@@ -17,11 +17,12 @@ import (

 	"github.com/oschwald/maxminddb-golang/v2"

-	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 type GeoLiteService struct {
-	mutex sync.Mutex
+	disableUpdater bool
+	mutex          sync.Mutex
 }

 var localhostIPNets = []*net.IPNet{
@@ -43,6 +44,12 @@ var tailscaleIPNets = []*net.IPNet{
 func NewGeoLiteService() *GeoLiteService {
 	service := &GeoLiteService{}

+	if common.EnvConfig.MaxMindLicenseKey == "" && common.EnvConfig.GeoLiteDBUrl == common.MaxMindGeoLiteCityUrl {
+		// Warn the user, and disable the updater.
+		log.Println("MAXMIND_LICENSE_KEY environment variable is empty. The GeoLite2 City database won't be updated.")
+		service.disableUpdater = true
+	}
+
 	go func() {
 		if err := service.updateDatabase(); err != nil {
 			log.Printf("Failed to update GeoLite2 City database: %v\n", err)
@@ -104,18 +111,19 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string

 // UpdateDatabase checks the age of the database and updates it if it's older than 14 days.
 func (s *GeoLiteService) updateDatabase() error {
+	if s.disableUpdater {
+		// Avoid updating the GeoLite2 City database.
+		return nil
+	}
+
 	if s.isDatabaseUpToDate() {
 		log.Println("GeoLite2 City database is up-to-date.")
 		return nil
 	}

 	log.Println("Updating GeoLite2 City database...")
+	downloadUrl := fmt.Sprintf(common.EnvConfig.GeoLiteDBUrl, common.EnvConfig.MaxMindLicenseKey)

-	// Download and extract the database
-	downloadUrl := fmt.Sprintf(
-		"https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz",
-		common.EnvConfig.MaxMindLicenseKey,
-	)
 	// Download the database tar.gz file
 	resp, err := http.Get(downloadUrl)
 	if err != nil {
--- a/backend/internal/service/jwt_service.go
+++ b/backend/internal/service/jwt_service.go
@@ -8,10 +8,6 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"errors"
-	"fmt"
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
 	"log"
 	"math/big"
 	"os"
@@ -19,6 +15,10 @@ import (
 	"slices"
 	"strconv"
 	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
 )

 const (
@@ -27,8 +27,8 @@ const (
 )

 type JwtService struct {
-	publicKey        *rsa.PublicKey
-	privateKey       *rsa.PrivateKey
+	PublicKey        *rsa.PublicKey
+	PrivateKey       *rsa.PrivateKey
 	appConfigService *AppConfigService
 }

@@ -71,7 +71,7 @@ func (s *JwtService) loadOrGenerateKeys() error {
 	if err != nil {
 		return errors.New("can't read jwt private key: " + err.Error())
 	}
-	s.privateKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKeyBytes)
+	s.PrivateKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKeyBytes)
 	if err != nil {
 		return errors.New("can't parse jwt private key: " + err.Error())
 	}
@@ -80,7 +80,7 @@ func (s *JwtService) loadOrGenerateKeys() error {
 	if err != nil {
 		return errors.New("can't read jwt public key: " + err.Error())
 	}
-	s.publicKey, err = jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
+	s.PublicKey, err = jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
 	if err != nil {
 		return errors.New("can't parse jwt public key: " + err.Error())
 	}
@@ -100,7 +100,7 @@ func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
 		IsAdmin: user.IsAdmin,
 	}

-	kid, err := s.generateKeyID(s.publicKey)
+	kid, err := s.generateKeyID(s.PublicKey)
 	if err != nil {
 		return "", errors.New("failed to generate key ID: " + err.Error())
 	}
@@ -108,12 +108,12 @@ func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claim)
 	token.Header["kid"] = kid

-	return token.SignedString(s.privateKey)
+	return token.SignedString(s.PrivateKey)
 }

 func (s *JwtService) VerifyAccessToken(tokenString string) (*AccessTokenJWTClaims, error) {
 	token, err := jwt.ParseWithClaims(tokenString, &AccessTokenJWTClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return s.publicKey, nil
+		return s.PublicKey, nil
 	})
 	if err != nil || !token.Valid {
 		return nil, errors.New("couldn't handle this token")
@@ -146,7 +146,7 @@ func (s *JwtService) GenerateIDToken(userClaims map[string]interface{}, clientID
 		claims["nonce"] = nonce
 	}

-	kid, err := s.generateKeyID(s.publicKey)
+	kid, err := s.generateKeyID(s.PublicKey)
 	if err != nil {
 		return "", errors.New("failed to generate key ID: " + err.Error())
 	}
@@ -154,7 +154,7 @@ func (s *JwtService) GenerateIDToken(userClaims map[string]interface{}, clientID
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
 	token.Header["kid"] = kid

-	return token.SignedString(s.privateKey)
+	return token.SignedString(s.PrivateKey)
 }

 func (s *JwtService) GenerateOauthAccessToken(user model.User, clientID string) (string, error) {
@@ -166,7 +166,7 @@ func (s *JwtService) GenerateOauthAccessToken(user model.User, clientID string)
 		Issuer:    common.EnvConfig.AppURL,
 	}

-	kid, err := s.generateKeyID(s.publicKey)
+	kid, err := s.generateKeyID(s.PublicKey)
 	if err != nil {
 		return "", errors.New("failed to generate key ID: " + err.Error())
 	}
@@ -174,12 +174,12 @@ func (s *JwtService) GenerateOauthAccessToken(user model.User, clientID string)
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claim)
 	token.Header["kid"] = kid

-	return token.SignedString(s.privateKey)
+	return token.SignedString(s.PrivateKey)
 }

 func (s *JwtService) VerifyOauthAccessToken(tokenString string) (*jwt.RegisteredClaims, error) {
 	token, err := jwt.ParseWithClaims(tokenString, &jwt.RegisteredClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return s.publicKey, nil
+		return s.PublicKey, nil
 	})
 	if err != nil || !token.Valid {
 		return nil, errors.New("couldn't handle this token")
@@ -193,13 +193,30 @@ func (s *JwtService) VerifyOauthAccessToken(tokenString string) (*jwt.Registered
 	return claims, nil
 }

+func (s *JwtService) VerifyIdToken(tokenString string) (*jwt.RegisteredClaims, error) {
+	token, err := jwt.ParseWithClaims(tokenString, &jwt.RegisteredClaims{}, func(token *jwt.Token) (interface{}, error) {
+		return s.PublicKey, nil
+	}, jwt.WithIssuer(common.EnvConfig.AppURL))
+
+	if err != nil && !errors.Is(err, jwt.ErrTokenExpired) {
+		return nil, errors.New("couldn't handle this token")
+	}
+
+	claims, isValid := token.Claims.(*jwt.RegisteredClaims)
+	if !isValid {
+		return nil, errors.New("can't parse claims")
+	}
+
+	return claims, nil
+}
+
 // GetJWK returns the JSON Web Key (JWK) for the public key.
 func (s *JwtService) GetJWK() (JWK, error) {
-	if s.publicKey == nil {
+	if s.PublicKey == nil {
 		return JWK{}, errors.New("public key is not initialized")
 	}

-	kid, err := s.generateKeyID(s.publicKey)
+	kid, err := s.generateKeyID(s.PublicKey)
 	if err != nil {
 		return JWK{}, err
 	}
@@ -209,8 +226,8 @@ func (s *JwtService) GetJWK() (JWK, error) {
 		Kty: "RSA",
 		Use: "sig",
 		Alg: "RS256",
-		N:   base64.RawURLEncoding.EncodeToString(s.publicKey.N.Bytes()),
-		E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(s.publicKey.E)).Bytes()),
+		N:   base64.RawURLEncoding.EncodeToString(s.PublicKey.N.Bytes()),
+		E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(s.PublicKey.E)).Bytes()),
 	}

 	return jwk, nil
@@ -245,14 +262,14 @@ func (s *JwtService) generateKeys() error {
 	if err != nil {
 		return errors.New("failed to generate private key: " + err.Error())
 	}
-	s.privateKey = privateKey
+	s.PrivateKey = privateKey

 	if err := s.savePEMKey(privateKeyPath, x509.MarshalPKCS1PrivateKey(privateKey), "RSA PRIVATE KEY"); err != nil {
 		return err
 	}

 	publicKey := &privateKey.PublicKey
-	s.publicKey = publicKey
+	s.PublicKey = publicKey

 	if err := s.savePEMKey(publicKeyPath, x509.MarshalPKCS1PublicKey(publicKey), "RSA PUBLIC KEY"); err != nil {
 		return err
@@ -280,32 +297,3 @@ func (s *JwtService) savePEMKey(path string, keyBytes []byte, keyType string) er

 	return nil
 }
-
-// loadKeys loads RSA keys from the given paths.
-func (s *JwtService) loadKeys() error {
-	if _, err := os.Stat(privateKeyPath); os.IsNotExist(err) {
-		if err := s.generateKeys(); err != nil {
-			return err
-		}
-	}
-
-	privateKeyBytes, err := os.ReadFile(privateKeyPath)
-	if err != nil {
-		return fmt.Errorf("can't read jwt private key: %w", err)
-	}
-	s.privateKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKeyBytes)
-	if err != nil {
-		return fmt.Errorf("can't parse jwt private key: %w", err)
-	}
-
-	publicKeyBytes, err := os.ReadFile(publicKeyPath)
-	if err != nil {
-		return fmt.Errorf("can't read jwt public key: %w", err)
-	}
-	s.publicKey, err = jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
-	if err != nil {
-		return fmt.Errorf("can't parse jwt public key: %w", err)
-	}
-
-	return nil
-}
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -1,14 +1,20 @@
 package service

 import (
+	"bytes"
 	"crypto/tls"
+	"encoding/base64"
+	"errors"
 	"fmt"
+	"io"
 	"log"
+	"net/http"
+	"net/url"
 	"strings"

 	"github.com/go-ldap/ldap/v3"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
 )

@@ -70,12 +76,13 @@ func (s *LdapService) SyncGroups() error {
 	baseDN := s.appConfigService.DbConfig.LdapBase.Value
 	nameAttribute := s.appConfigService.DbConfig.LdapAttributeGroupName.Value
 	uniqueIdentifierAttribute := s.appConfigService.DbConfig.LdapAttributeGroupUniqueIdentifier.Value
-	filter := "(objectClass=groupOfUniqueNames)"
+	groupMemberOfAttribute := s.appConfigService.DbConfig.LdapAttributeGroupMember.Value
+	filter := s.appConfigService.DbConfig.LdapUserGroupSearchFilter.Value

 	searchAttrs := []string{
 		nameAttribute,
 		uniqueIdentifierAttribute,
-		"member",
+		groupMemberOfAttribute,
 	}

 	searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, searchAttrs, []ldap.Control{})
@@ -88,7 +95,6 @@ func (s *LdapService) SyncGroups() error {
 	ldapGroupIDs := make(map[string]bool)

 	for _, value := range result.Entries {
-		var usersToAddDto dto.UserGroupUpdateUsersDto
 		var membersUserId []string

 		ldapId := value.GetAttributeValue(uniqueIdentifierAttribute)
@@ -99,14 +105,24 @@ func (s *LdapService) SyncGroups() error {
 		s.db.Where("ldap_id = ?", ldapId).First(&databaseGroup)

 		// Get group members and add to the correct Group
-		groupMembers := value.GetAttributeValues("member")
+		groupMembers := value.GetAttributeValues(groupMemberOfAttribute)
 		for _, member := range groupMembers {
 			// Normal output of this would be CN=username,ou=people,dc=example,dc=com
 			// Splitting at the "=" and "," then just grabbing the username for that string
 			singleMember := strings.Split(strings.Split(member, "=")[1], ",")[0]

 			var databaseUser model.User
-			s.db.Where("username = ?", singleMember).First(&databaseUser)
+			err := s.db.Where("username = ? AND ldap_id IS NOT NULL", singleMember).First(&databaseUser).Error
+			if err != nil {
+				if errors.Is(err, gorm.ErrRecordNotFound) {
+					// The user collides with a non-LDAP user, so we skip it
+					continue
+				} else {
+					return err
+				}
+
+			}
+
 			membersUserId = append(membersUserId, databaseUser.ID)
 		}

@@ -116,7 +132,7 @@ func (s *LdapService) SyncGroups() error {
 			LdapID:       value.GetAttributeValue(uniqueIdentifierAttribute),
 		}

-		usersToAddDto = dto.UserGroupUpdateUsersDto{
+		usersToAddDto := dto.UserGroupUpdateUsersDto{
 			UserIDs: membersUserId,
 		}

@@ -175,9 +191,9 @@ func (s *LdapService) SyncUsers() error {
 	emailAttribute := s.appConfigService.DbConfig.LdapAttributeUserEmail.Value
 	firstNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserFirstName.Value
 	lastNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserLastName.Value
+	profilePictureAttribute := s.appConfigService.DbConfig.LdapAttributeUserProfilePicture.Value
 	adminGroupAttribute := s.appConfigService.DbConfig.LdapAttributeAdminGroup.Value
-
-	filter := "(objectClass=person)"
+	filter := s.appConfigService.DbConfig.LdapUserSearchFilter.Value

 	searchAttrs := []string{
 		"memberOf",
@@ -188,6 +204,7 @@ func (s *LdapService) SyncUsers() error {
 		emailAttribute,
 		firstNameAttribute,
 		lastNameAttribute,
+		profilePictureAttribute,
 	}

 	// Filters must start and finish with ()!
@@ -236,9 +253,14 @@ func (s *LdapService) SyncUsers() error {
 			if err != nil {
 				log.Printf("Error syncing user %s: %s", newUser.Username, err)
 			}
-
 		}

+		// Save profile picture
+		if pictureString := value.GetAttributeValue(profilePictureAttribute); pictureString != "" {
+			if err := s.SaveProfilePicture(databaseUser.ID, pictureString); err != nil {
+				log.Printf("Error saving profile picture for user %s: %s", newUser.Username, err)
+			}
+		}
 	}

 	// Get all LDAP users from the database
@@ -250,7 +272,7 @@ func (s *LdapService) SyncUsers() error {
 	// Delete users that no longer exist in LDAP
 	for _, user := range ldapUsersInDb {
 		if _, exists := ldapUserIDs[*user.LdapID]; !exists {
-			if err := s.db.Delete(&model.User{}, "ldap_id = ?", user.LdapID).Error; err != nil {
+			if err := s.userService.DeleteUser(user.ID); err != nil {
 				log.Printf("Failed to delete user %s with: %v", user.Username, err)
 			} else {
 				log.Printf("Deleted user %s", user.Username)
@@ -259,3 +281,33 @@ func (s *LdapService) SyncUsers() error {
 	}
 	return nil
 }
+
+func (s *LdapService) SaveProfilePicture(userId string, pictureString string) error {
+	var reader io.Reader
+
+	if _, err := url.ParseRequestURI(pictureString); err == nil {
+		// If the photo is a URL, download it
+		response, err := http.Get(pictureString)
+		if err != nil {
+			return fmt.Errorf("failed to download profile picture: %w", err)
+		}
+		defer response.Body.Close()
+
+		reader = response.Body
+
+	} else if decodedPhoto, err := base64.StdEncoding.DecodeString(pictureString); err == nil {
+		// If the photo is a base64 encoded string, decode it
+		reader = bytes.NewReader(decodedPhoto)
+
+	} else {
+		// If the photo is a string, we assume that it's a binary string
+		reader = bytes.NewReader([]byte(pictureString))
+	}
+
+	// Update the profile picture
+	if err := s.userService.UpdateProfilePicture(userId, reader); err != nil {
+		return fmt.Errorf("failed to update profile picture: %w", err)
+	}
+
+	return nil
+}
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -3,20 +3,22 @@ package service
 import (
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"golang.org/x/crypto/bcrypt"
-	"gorm.io/gorm"
 	"mime/multipart"
 	"os"
 	"regexp"
 	"strings"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
 )

 type OidcService struct {
@@ -49,7 +51,7 @@ func (s *OidcService) Authorize(input dto.AuthorizeOidcClientRequestDto, userID,
 	}

 	// Get the callback URL of the client. Return an error if the provided callback URL is not allowed
-	callbackURL, err := s.getCallbackURL(client, input.CallbackURL)
+	callbackURL, err := s.getCallbackURL(client.CallbackURLs, input.CallbackURL)
 	if err != nil {
 		return "", "", err
 	}
@@ -226,11 +228,12 @@ func (s *OidcService) ListClients(searchTerm string, sortedPaginationRequest uti

 func (s *OidcService) CreateClient(input dto.OidcClientCreateDto, userID string) (model.OidcClient, error) {
 	client := model.OidcClient{
-		Name:         input.Name,
-		CallbackURLs: input.CallbackURLs,
-		CreatedByID:  userID,
-		IsPublic:     input.IsPublic,
-		PkceEnabled:  input.IsPublic || input.PkceEnabled,
+		Name:               input.Name,
+		CallbackURLs:       input.CallbackURLs,
+		LogoutCallbackURLs: input.LogoutCallbackURLs,
+		CreatedByID:        userID,
+		IsPublic:           input.IsPublic,
+		PkceEnabled:        input.IsPublic || input.PkceEnabled,
 	}

 	if err := s.db.Create(&client).Error; err != nil {
@@ -248,6 +251,7 @@ func (s *OidcService) UpdateClient(clientID string, input dto.OidcClientCreateDt

 	client.Name = input.Name
 	client.CallbackURLs = input.CallbackURLs
+	client.LogoutCallbackURLs = input.LogoutCallbackURLs
 	client.IsPublic = input.IsPublic
 	client.PkceEnabled = input.IsPublic || input.PkceEnabled

@@ -397,6 +401,7 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 		"family_name":        user.LastName,
 		"name":               user.FullName(),
 		"preferred_username": user.Username,
+		"picture":            fmt.Sprintf("%s/api/users/%s/profile-picture.png", common.EnvConfig.AppURL, user.ID),
 	}

 	if strings.Contains(scope, "profile") {
@@ -412,7 +417,16 @@ func (s *OidcService) GetUserClaimsForClient(userID string, clientID string) (ma
 		}

 		for _, customClaim := range customClaims {
-			claims[customClaim.Key] = customClaim.Value
+			// The value of the custom claim can be a JSON object or a string
+			var jsonValue interface{}
+			json.Unmarshal([]byte(customClaim.Value), &jsonValue)
+			if jsonValue != nil {
+				// It's JSON so we store it as an object
+				claims[customClaim.Key] = jsonValue
+			} else {
+				// Marshalling failed, so we store it as a string
+				claims[customClaim.Key] = customClaim.Value
+			}
 		}
 	}
 	if strings.Contains(scope, "email") {
@@ -449,6 +463,46 @@ func (s *OidcService) UpdateAllowedUserGroups(id string, input dto.OidcUpdateAll
 	return client, nil
 }

+// ValidateEndSession returns the logout callback URL for the client if all the validations pass
+func (s *OidcService) ValidateEndSession(input dto.OidcLogoutDto, userID string) (string, error) {
+	// If no ID token hint is provided, return an error
+	if input.IdTokenHint == "" {
+		return "", &common.TokenInvalidError{}
+	}
+
+	// If the ID token hint is provided, verify the ID token
+	claims, err := s.jwtService.VerifyIdToken(input.IdTokenHint)
+	if err != nil {
+		return "", &common.TokenInvalidError{}
+	}
+
+	// If the client ID is provided check if the client ID in the ID token matches the client ID in the request
+	if input.ClientId != "" && claims.Audience[0] != input.ClientId {
+		return "", &common.OidcClientIdNotMatchingError{}
+	}
+
+	clientId := claims.Audience[0]
+
+	// Check if the user has authorized the client before
+	var userAuthorizedOIDCClient model.UserAuthorizedOidcClient
+	if err := s.db.Preload("Client").First(&userAuthorizedOIDCClient, "client_id = ? AND user_id = ?", clientId, userID).Error; err != nil {
+		return "", &common.OidcMissingAuthorizationError{}
+	}
+
+	// If the client has no logout callback URLs, return an error
+	if len(userAuthorizedOIDCClient.Client.LogoutCallbackURLs) == 0 {
+		return "", &common.OidcNoCallbackURLError{}
+	}
+
+	callbackURL, err := s.getCallbackURL(userAuthorizedOIDCClient.Client.LogoutCallbackURLs, input.PostLogoutRedirectUri)
+	if err != nil {
+		return "", err
+	}
+
+	return callbackURL, nil
+
+}
+
 func (s *OidcService) createAuthorizationCode(clientID string, userID string, scope string, nonce string, codeChallenge string, codeChallengeMethod string) (string, error) {
 	randomString, err := utils.GenerateRandomAlphanumericString(32)
 	if err != nil {
@@ -495,12 +549,12 @@ func (s *OidcService) validateCodeVerifier(codeVerifier, codeChallenge string, c
 	return encodedVerifierHash == codeChallenge
 }

-func (s *OidcService) getCallbackURL(client model.OidcClient, inputCallbackURL string) (callbackURL string, err error) {
+func (s *OidcService) getCallbackURL(urls []string, inputCallbackURL string) (callbackURL string, err error) {
 	if inputCallbackURL == "" {
-		return client.CallbackURLs[0], nil
+		return urls[0], nil
 	}

-	for _, callbackPattern := range client.CallbackURLs {
+	for _, callbackPattern := range urls {
 		regexPattern := strings.ReplaceAll(regexp.QuoteMeta(callbackPattern), `\*`, ".*") + "$"
 		matched, err := regexp.MatchString(regexPattern, inputCallbackURL)
 		if err != nil {
--- a/backend/internal/service/test_service.go
+++ b/backend/internal/service/test_service.go
@@ -4,29 +4,32 @@ import (
 	"crypto/ecdsa"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"fmt"
-	"github.com/fxamacker/cbor/v2"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
-	"github.com/stonith404/pocket-id/backend/resources"
 	"log"
 	"os"
 	"path/filepath"
 	"time"

+	"github.com/fxamacker/cbor/v2"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/resources"
+
 	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 )

 type TestService struct {
 	db               *gorm.DB
+	jwtService       *JwtService
 	appConfigService *AppConfigService
 }

-func NewTestService(db *gorm.DB, appConfigService *AppConfigService) *TestService {
-	return &TestService{db: db, appConfigService: appConfigService}
+func NewTestService(db *gorm.DB, appConfigService *AppConfigService, jwtService *JwtService) *TestService {
+	return &TestService{db: db, appConfigService: appConfigService, jwtService: jwtService}
 }

 func (s *TestService) SeedDatabase() error {
@@ -111,11 +114,12 @@ func (s *TestService) SeedDatabase() error {
 				Base: model.Base{
 					ID: "3654a746-35d4-4321-ac61-0bdcff2b4055",
 				},
-				Name:         "Nextcloud",
-				Secret:       "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
-				CallbackURLs: model.CallbackURLs{"http://nextcloud/auth/callback"},
-				ImageType:    utils.StringPointer("png"),
-				CreatedByID:  users[0].ID,
+				Name:               "Nextcloud",
+				Secret:             "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
+				CallbackURLs:       model.UrlList{"http://nextcloud/auth/callback"},
+				LogoutCallbackURLs: model.UrlList{"http://nextcloud/auth/logout/callback"},
+				ImageType:          utils.StringPointer("png"),
+				CreatedByID:        users[0].ID,
 			},
 			{
 				Base: model.Base{
@@ -123,7 +127,7 @@ func (s *TestService) SeedDatabase() error {
 				},
 				Name:         "Immich",
 				Secret:       "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
-				CallbackURLs: model.CallbackURLs{"http://immich/auth/callback"},
+				CallbackURLs: model.UrlList{"http://immich/auth/callback"},
 				CreatedByID:  users[1].ID,
 				AllowedUserGroups: []model.UserGroup{
 					userGroups[1],
@@ -287,6 +291,43 @@ func (s *TestService) ResetAppConfig() error {
 	return s.appConfigService.LoadDbConfigFromDb()
 }

+func (s *TestService) SetJWTKeys() {
+	privateKeyString := `-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAyaeEL0VKoPBXIAaWXsUgmu05lAvEIIdJn0FX9lHh4JE5UY9B
+83C5sCNdhs9iSWzpeP11EVjWp8i3Yv2CF7c7u50BXnVBGtxpZpFC+585UXacoJ0c
+hUmarL9GRFJcM1nPHBTFu68aRrn1rIKNHUkNaaxFo0NFGl/4EDDTO8HwawTjwkPo
+QlRzeByhlvGPVvwgB3Fn93B8QJ/cZhXKxJvjjrC/8Pk76heC/ntEMru71Ix77BoC
+3j2TuyiN7m9RNBW8BU5q6lKoIdvIeZfTFLzi37iufyfvMrJTixp9zhNB1NxlLCeO
+Zl2MXegtiGqd2H3cbAyqoOiv9ihUWTfXj7SxJwIDAQABAoIBAQCa8wNZJ08+9y6b
+RzSIQcTaBuq1XY0oyYvCuX0ToruDyVNX3lJ48udb9vDIw9XsQans9CTeXXsjldGE
+WPN7sapOcUg6ArMyJqc+zuO/YQu0EwYrTE48BOC7WIZvvTFnq9y+4R9HJjd0nTOv
+iOlR1W5fAqbH2srgh1mfZ0UIp+9K6ymoinPXVGEXUAuuoMuTEZW/tnA2HT9WEllT
+2FyMbmXrFzutAQqk9GRmnQh2OQZLxnQWyShVqJEhYBtm6JUUH1YJbyTVzMLgdBM8
+ukgjTVtRDHaW51ubRSVdGBVT2m1RRtTsYAiZCpM5bwt88aSUS9yDOUiVH+irDg/3
+IHEuL7IxAoGBAP2MpXPXtOwinajUQ9hKLDAtpq4axGvY+aGP5dNEMsuPo5ggOfUP
+b4sqr73kaNFO3EbxQOQVoFjehhi4dQxt1/kAala9HZ5N7s26G2+eUWFF8jy7gWSN
+qusNqGrG4g8D3WOyqZFb/x/m6SE0Jcg7zvIYbnAOq1Fexeik0Fc/DNzLAoGBAMua
+d4XIfu4ydtU5AIaf1ZNXywgLg+LWxK8ELNqH/Y2vLAeIiTrOVp+hw9z+zHPD5cnu
+6mix783PCOYNLTylrwtAz3fxSz14lsDFQM3ntzVF/6BniTTkKddctcPyqnTvamah
+0hD2dzXBS/0mTBYIIMYTNbs0Yj87FTdJZw/+qa2VAoGBAKbzQkp54W6PCIMPabD0
+fg4nMRZ5F5bv4seIKcunn068QPs9VQxQ4qCfNeLykDYqGA86cgD9YHzD4UZLxv6t
+IUWbCWod0m/XXwPlpIUlmO5VEUD+MiAUzFNDxf6xAE7ku5UXImJNUjseX6l2Xd5v
+yz9L6QQuFI5aujQKugiIwp5rAoGATtUVGCCkPNgfOLmkYXu7dxxUCV5kB01+xAEK
+2OY0n0pG8vfDophH4/D/ZC7nvJ8J9uDhs/3JStexq1lIvaWtG99RNTChIEDzpdn6
+GH9yaVcb/eB4uJjrNm64FhF8PGCCwxA+xMCZMaARKwhMB2/IOMkxUbWboL3gnhJ2
+rDO/QO0CgYEA2Grt6uXHm61ji3xSdkBWNtUnj19vS1+7rFJp5SoYztVQVThf/W52
+BAiXKBdYZDRVoItC/VS2NvAOjeJjhYO/xQ/q3hK7MdtuXfEPpLnyXKkmWo3lrJ26
+wbeF6l05LexCkI7ShsOuSt+dsyaTJTszuKDIA6YOfWvfo3aVZmlWRaI=
+-----END RSA PRIVATE KEY-----
+`
+
+	block, _ := pem.Decode([]byte(privateKeyString))
+	privateKey, _ := x509.ParsePKCS1PrivateKey(block.Bytes)
+
+	s.jwtService.PrivateKey = privateKey
+	s.jwtService.PublicKey = &privateKey.PublicKey
+}
+
 // getCborPublicKey decodes a Base64 encoded public key and returns the CBOR encoded COSE key
 func (s *TestService) getCborPublicKey(base64PublicKey string) ([]byte, error) {
 	decodedKey, err := base64.StdEncoding.DecodeString(base64PublicKey)
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -2,10 +2,11 @@ package service

 import (
 	"errors"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
 )

--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -3,17 +3,22 @@ package service
 import (
 	"errors"
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
+	"github.com/google/uuid"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/image"
+	"io"
 	"log"
 	"net/url"
+	"os"
 	"strings"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
 )

 type UserService struct {
@@ -47,6 +52,71 @@ func (s *UserService) GetUser(userID string) (model.User, error) {
 	return user, err
 }

+func (s *UserService) GetProfilePicture(userID string) (io.Reader, int64, error) {
+	// Validate the user ID to prevent directory traversal
+	if err := uuid.Validate(userID); err != nil {
+		return nil, 0, &common.InvalidUUIDError{}
+	}
+
+	profilePicturePath := fmt.Sprintf("%s/profile-pictures/%s.png", common.EnvConfig.UploadPath, userID)
+	file, err := os.Open(profilePicturePath)
+	if err == nil {
+		// Get the file size
+		fileInfo, err := file.Stat()
+		if err != nil {
+			return nil, 0, err
+		}
+		return file, fileInfo.Size(), nil
+	}
+
+	// If the file does not exist, return the default profile picture
+	user, err := s.GetUser(userID)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	defaultPicture, err := profilepicture.CreateDefaultProfilePicture(user.FirstName, user.LastName)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return defaultPicture, int64(defaultPicture.Len()), nil
+}
+
+func (s *UserService) UpdateProfilePicture(userID string, file io.Reader) error {
+	// Validate the user ID to prevent directory traversal
+	if err := uuid.Validate(userID); err != nil {
+		return &common.InvalidUUIDError{}
+	}
+
+	// Convert the image to a smaller square image
+	profilePicture, err := profilepicture.CreateProfilePicture(file)
+	if err != nil {
+		return err
+	}
+
+	// Ensure the directory exists
+	profilePictureDir := fmt.Sprintf("%s/profile-pictures", common.EnvConfig.UploadPath)
+	if err := os.MkdirAll(profilePictureDir, os.ModePerm); err != nil {
+		return err
+	}
+
+	// Create the profile picture file
+	createdProfilePicture, err := os.Create(fmt.Sprintf("%s/%s.png", profilePictureDir, userID))
+	if err != nil {
+		return err
+	}
+	defer createdProfilePicture.Close()
+
+	// Copy the image to the file
+	_, err = io.Copy(createdProfilePicture, profilePicture)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (s *UserService) DeleteUser(userID string) error {
 	var user model.User
 	if err := s.db.Where("id = ?", userID).First(&user).Error; err != nil {
@@ -58,6 +128,12 @@ func (s *UserService) DeleteUser(userID string) error {
 		return &common.LdapUserUpdateError{}
 	}

+	// Delete the profile picture
+	profilePicturePath := fmt.Sprintf("%s/profile-pictures/%s.png", common.EnvConfig.UploadPath, userID)
+	if err := os.Remove(profilePicturePath); err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
 	return s.db.Delete(&user).Error
 }

--- a/backend/internal/service/webauthn_service.go
+++ b/backend/internal/service/webauthn_service.go
@@ -1,15 +1,16 @@
 package service

 import (
-	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/go-webauthn/webauthn/webauthn"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"gorm.io/gorm"
 	"net/http"
 	"time"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/webauthn"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"gorm.io/gorm"
 )

 type WebAuthnService struct {
--- a/backend/internal/utils/cookie/cookie_names.go
+++ b/backend/internal/utils/cookie/cookie_names.go
@@ -1,8 +1,9 @@
 package cookie

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 var AccessTokenCookieName = "__Host-access_token"
--- a/backend/internal/utils/email/email_service_templates.go
+++ b/backend/internal/utils/email/email_service_templates.go
@@ -2,11 +2,12 @@ package email

 import (
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/resources"
 	htemplate "html/template"
 	"io/fs"
 	"path"
 	ttemplate "text/template"
+
+	"github.com/pocket-id/pocket-id/backend/resources"
 )

 type Template[V any] struct {
--- a/backend/internal/utils/file_util.go
+++ b/backend/internal/utils/file_util.go
@@ -1,12 +1,13 @@
 package utils

 import (
-	"github.com/stonith404/pocket-id/backend/resources"
 	"io"
 	"mime/multipart"
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/resources"
 )

 func GetFileExtension(filename string) string {
--- a/backend/internal/utils/image/profile_picture.go
+++ b/backend/internal/utils/image/profile_picture.go
@@ -0,0 +1,96 @@
+package profilepicture
+
+import (
+	"bytes"
+	"fmt"
+	"github.com/disintegration/imaging"
+	"github.com/pocket-id/pocket-id/backend/resources"
+	"golang.org/x/image/font"
+	"golang.org/x/image/font/opentype"
+	"golang.org/x/image/math/fixed"
+	"image"
+	"image/color"
+	"io"
+	"strings"
+)
+
+const profilePictureSize = 300
+
+// CreateProfilePicture resizes the profile picture to a square
+func CreateProfilePicture(file io.Reader) (*bytes.Buffer, error) {
+	img, err := imaging.Decode(file)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode image: %w", err)
+	}
+
+	img = imaging.Fill(img, profilePictureSize, profilePictureSize, imaging.Center, imaging.Lanczos)
+
+	var buf bytes.Buffer
+	err = imaging.Encode(&buf, img, imaging.PNG)
+	if err != nil {
+		return nil, fmt.Errorf("failed to encode image: %v", err)
+	}
+
+	return &buf, nil
+}
+
+// CreateDefaultProfilePicture creates a profile picture with the initials
+func CreateDefaultProfilePicture(firstName, lastName string) (*bytes.Buffer, error) {
+	// Get the initials
+	initials := ""
+	if len(firstName) > 0 {
+		initials += string(firstName[0])
+	}
+	if len(lastName) > 0 {
+		initials += string(lastName[0])
+	}
+	initials = strings.ToUpper(initials)
+
+	// Create a blank image with a white background
+	img := imaging.New(profilePictureSize, profilePictureSize, color.RGBA{R: 255, G: 255, B: 255, A: 255})
+
+	// Load the font
+	fontBytes, err := resources.FS.ReadFile("fonts/PlayfairDisplay-Bold.ttf")
+	if err != nil {
+		return nil, fmt.Errorf("failed to read font file: %w", err)
+	}
+
+	// Parse the font
+	fontFace, err := opentype.Parse(fontBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse font: %w", err)
+	}
+
+	// Create a font.Face with a specific size
+	fontSize := 160.0
+	face, err := opentype.NewFace(fontFace, &opentype.FaceOptions{
+		Size: fontSize,
+		DPI:  72,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create font face: %w", err)
+	}
+
+	// Create a drawer for the image
+	drawer := &font.Drawer{
+		Dst:  img,
+		Src:  image.NewUniform(color.RGBA{R: 0, G: 0, B: 0, A: 255}), // Black text color
+		Face: face,
+	}
+
+	// Center the initials
+	x := (profilePictureSize - font.MeasureString(face, initials).Ceil()) / 2
+	y := (profilePictureSize-face.Metrics().Height.Ceil())/2 + face.Metrics().Ascent.Ceil() - 10
+	drawer.Dot = fixed.P(x, y)
+
+	// Draw the initials
+	drawer.DrawString(initials)
+
+	var buf bytes.Buffer
+	err = imaging.Encode(&buf, img, imaging.PNG)
+	if err != nil {
+		return nil, fmt.Errorf("failed to encode image: %v", err)
+	}
+
+	return &buf, nil
+}
--- a/backend/internal/utils/string_util.go
+++ b/backend/internal/utils/string_util.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"math/big"
 	"net/url"
+	"regexp"
+	"strings"
 	"unicode"
 )

@@ -62,3 +64,12 @@ func CamelCaseToSnakeCase(s string) string {
 	}
 	return string(result)
 }
+
+func CamelCaseToScreamingSnakeCase(s string) string {
+	// Insert underscores before uppercase letters (except the first one)
+	re := regexp.MustCompile(`([a-z0-9])([A-Z])`)
+	snake := re.ReplaceAllString(s, `${1}_${2}`)
+
+	// Convert to uppercase
+	return strings.ToUpper(snake)
+}
--- a/backend/resources/email-templates/components/style_html.tmpl
+++ b/backend/resources/email-templates/components/style_html.tmpl
@@ -1,95 +1,92 @@
 {{ define "style" }}
 <style>
-  body {
-    font-family: Arial, sans-serif;
-    background-color: #f0f0f0;
-    color: #333;
-    margin: 0;
-    padding: 0;
-  }
-  .container {
-    background-color: #fff;
-    color: #333;
-    padding: 32px;
-    border-radius: 10px;
-    max-width: 600px;
-    margin: 40px auto;
-    box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-  }
-  .header {
-    display: flex;
-    justify-content: space-between;
-    align-items: center;
-    margin-bottom: 24px;
-  }
-  .header .logo {
-    display: flex;
-    align-items: center;
-    gap: 8px;
-  }
-  .header .logo img {
-    width: 32px;
-    height: 32px;
-    object-fit: cover;
-  }
-  .header h1 {
-    font-size: 1.5rem;
-    font-weight: bold;
-  }
-  .warning {
-    background-color: #ffd966;
-    color: #7f6000;
-    padding: 4px 12px;
-    border-radius: 50px;
-    font-size: 0.875rem;
-  }
-  .content {
-    background-color: #fafafa;
-    color: #333;
-    padding: 24px;
-    border-radius: 10px;
-  }
-  .content h2 {
-    font-size: 1.25rem;
-    font-weight: bold;
-    margin-bottom: 16px;
-  }
-  .grid {
-    display: grid;
-    grid-template-columns: 1fr 1fr;
-    gap: 16px;
-    margin-bottom: 16px;
-  }
-  .grid div {
-    display: flex;
-    flex-direction: column;
-  }
-  .grid p {
-    margin: 0;
-  }
-  .label {
-    color: #888;
-    font-size: 0.875rem;
-    margin-bottom: 4px;
-  }
-  .message {
-    font-size: 1rem;
-    line-height: 1.5;
-  }
-  .button {
-      border-radius: 0.375rem;
-      font-size: 1rem;
-      font-weight: 500;
-      background-color: #000000;
-      color: #ffffff;
-      padding: 0.7rem 1.5rem;
-      outline: none;
-      border: none;
-      text-decoration: none;
-  }
-  .button-container {
-    text-align: center;
-    margin-top: 24px;
-  }
+/* Reset styles for email clients */
+ body, table, td, p, a {
+     margin: 0;
+     padding: 0;
+     border: 0;
+     font-size: 100%;
+     font-family: Arial, sans-serif;
+     line-height: 1.5;
+}
+ body {
+     background-color: #f0f0f0;
+     color: #333;
+}
+ .container {
+     width: 100%;
+     max-width: 600px;
+     margin: 40px auto;
+     background-color: #fff;
+     border-radius: 10px;
+     box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
+     padding: 32px;
+}
+ .header {
+     display: flex;
+     margin-bottom: 24px;
+}
+ .header .logo img {
+     width: 32px;
+     height: 32px;
+     vertical-align: middle;
+}
+ .header h1 {
+     font-size: 1.5rem;
+     font-weight: bold;
+     display: inline-block;
+     vertical-align: middle;
+     margin-left: 8px;
+}
+ .warning {
+     background-color: #ffd966;
+     color: #7f6000;
+     padding: 4px 12px;
+     border-radius: 50px;
+     font-size: 0.875rem;
+     margin: auto 0 auto auto;
+}
+ .content {
+     background-color: #fafafa;
+     padding: 24px;
+     border-radius: 10px;
+}
+ .content h2 {
+     font-size: 1.25rem;
+     font-weight: bold;
+     margin-bottom: 16px;
+}
+ .grid {
+     width: 100%;
+     margin-bottom: 16px;
+}
+ .grid td {
+     width: 50%;
+     padding-bottom: 8px;
+     vertical-align: top;
+}
+ .label {
+     color: #888;
+     font-size: 0.875rem;
+}
+ .message {
+     font-size: 1rem;
+     line-height: 1.5;
+     margin-top: 16px;
+}
+ .button {
+     background-color: #000000;
+     color: #ffffff;
+     padding: 0.7rem 1.5rem;
+     text-decoration: none;
+     border-radius: 4px;
+     font-size: 1rem;
+     font-weight: 500;
+     display: inline-block;
+     margin-top: 24px;
+}
+ .button-container {
+     text-align: center;
+}
 </style>
 {{ end }}
--- a/backend/resources/email-templates/login-with-new-device_html.tmpl
+++ b/backend/resources/email-templates/login-with-new-device_html.tmpl
@@ -1,36 +1,40 @@
 {{ define "base" }}
-    <div class="header">
-        <div class="logo">
-            <img src="{{ .LogoURL }}" alt="{{ .AppName }}"/>
-            <h1>{{ .AppName }}</h1>
-        </div>
-        <div class="warning">Warning</div>
-    </div>
-    <div class="content">
-        <h2>New Sign-In Detected</h2>
-        <div class="grid">
-            {{ if and .Data.City .Data.Country }}
-            <div>
-                <p class="label">Approximate Location</p>
-                <p>{{ .Data.City }}, {{ .Data.Country }}</p>
-            </div>
-            {{ end }}
-            <div>
-                <p class="label">IP Address</p>
-                <p>{{ .Data.IPAddress }}</p>
-            </div>
-            <div>
-                <p class="label">Device</p>
-                <p>{{ .Data.Device }}</p>
-            </div>
-            <div>
-                <p class="label">Sign-In Time</p>
-                <p>{{ .Data.DateTime.Format "2006-01-02 15:04:05 UTC" }}</p>
-            </div>
-        </div>
-        <p class="message">
-            This sign-in was detected from a new device or location. If you recognize this activity, you can
-            safely ignore this message. If not, please review your account and security settings.
-        </p>
-    </div>
+<div class="header">
+   <div class="logo">
+      <img src="{{ .LogoURL }}" alt="{{ .AppName }}"/>
+      <h1>{{ .AppName }}</h1>
+   </div>
+   <div class="warning">Warning</div>
+</div>
+<div class="content">
+   <h2>New Sign-In Detected</h2>
+   <table class="grid">
+      <tr>
+         {{ if and .Data.City .Data.Country }}
+         <td>
+            <p class="label">Approximate Location</p>
+            <p>{{ .Data.City }}, {{ .Data.Country }}</p>
+         </td>
+         {{ end }}
+         <td>
+            <p class="label">IP Address</p>
+            <p>{{ .Data.IPAddress }}</p>
+         </td>
+      </tr>
+      <tr>
+         <td>
+            <p class="label">Device</p>
+            <p>{{ .Data.Device }}</p>
+         </td>
+         <td>
+            <p class="label">Sign-In Time</p>
+            <p>{{ .Data.DateTime.Format "2006-01-02 15:04:05 UTC" }}</p>
+         </td>
+      </tr>
+   </table>
+   <p class="message">
+      This sign-in was detected from a new device or location. If you recognize this activity, you can
+      safely ignore this message. If not, please review your account and security settings.
+   </p>
+</div>
 {{ end -}}
--- a/backend/resources/files.go
+++ b/backend/resources/files.go
@@ -4,5 +4,5 @@ import "embed"

 // Embedded file systems for the project

-//go:embed email-templates images migrations
+//go:embed email-templates images migrations fonts
 var FS embed.FS
--- a/backend/resources/fonts/PlayfairDisplay-Bold.ttf
+++ b/backend/resources/fonts/PlayfairDisplay-Bold.ttf
--- a/backend/resources/migrations/postgres/20250210152631_post_logout_url.down.sql
+++ b/backend/resources/migrations/postgres/20250210152631_post_logout_url.down.sql
@@ -0,0 +1 @@
+ALTER TABLE oidc_clients DROP COLUMN logout_callback_urls;
--- a/backend/resources/migrations/postgres/20250210152631_post_logout_url.up.sql
+++ b/backend/resources/migrations/postgres/20250210152631_post_logout_url.up.sql
@@ -0,0 +1 @@
+ALTER TABLE oidc_clients ADD COLUMN logout_callback_urls JSONB;
--- a/backend/resources/migrations/postgres/20250225182112_manual_smtp_tls_selection.down.sql
+++ b/backend/resources/migrations/postgres/20250225182112_manual_smtp_tls_selection.down.sql
@@ -0,0 +1 @@
+UPDATE app_config_variables SET value = 'true' WHERE key = 'smtpTls';
--- a/backend/resources/migrations/postgres/20250225182112_manual_smtp_tls_selection.up.sql
+++ b/backend/resources/migrations/postgres/20250225182112_manual_smtp_tls_selection.up.sql
@@ -0,0 +1,7 @@
+UPDATE app_config_variables AS target
+SET value = CASE
+    WHEN target.value = 'true' AND (SELECT value FROM app_config_variables WHERE key = 'smtpPort' LIMIT 1) = '587' THEN 'starttls'
+    WHEN target.value = 'true' THEN 'tls'
+    ELSE 'none'
+END
+    WHERE target.key = 'smtpTls';
--- a/backend/resources/migrations/sqlite/20250210152631_post_logout_url.down.sql
+++ b/backend/resources/migrations/sqlite/20250210152631_post_logout_url.down.sql
@@ -0,0 +1 @@
+ALTER TABLE oidc_clients DROP COLUMN logout_callback_urls;
--- a/backend/resources/migrations/sqlite/20250210152631_post_logout_url.up.sql
+++ b/backend/resources/migrations/sqlite/20250210152631_post_logout_url.up.sql
@@ -0,0 +1 @@
+ALTER TABLE oidc_clients ADD COLUMN logout_callback_urls BLOB;
--- a/backend/resources/migrations/sqlite/20250225182112_manual_smtp_tls_selection.down.sql
+++ b/backend/resources/migrations/sqlite/20250225182112_manual_smtp_tls_selection.down.sql
@@ -0,0 +1 @@
+UPDATE app_config_variables SET value = 'true' WHERE key = 'smtpTls';
--- a/backend/resources/migrations/sqlite/20250225182112_manual_smtp_tls_selection.up.sql
+++ b/backend/resources/migrations/sqlite/20250225182112_manual_smtp_tls_selection.up.sql
@@ -0,0 +1,7 @@
+UPDATE app_config_variables
+SET value = CASE
+                WHEN value = 'true' AND (SELECT value FROM app_config_variables WHERE key = 'smtpPort' LIMIT 1) = '587' THEN 'starttls'
+                WHEN value = 'true' THEN 'tls'
+                ELSE 'none'
+    END
+WHERE key = 'smtpTls';
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  pocket-id:
-    image: stonith404/pocket-id  # or ghcr.io/stonith404/pocket-id
+    image: ghcr.io/pocket-id/pocket-id
    restart: unless-stopped
    env_file: .env
    ports:
--- a/docs/docs/client-examples/cloudflare-zero-trust.md
+++ b/docs/docs/client-examples/cloudflare-zero-trust.md
@@ -1,26 +0,0 @@
---
-id: cloudflare-zero-trust
---
-# Cloudflare Zero Trust
-
-**Note: Cloudflare will need to be able to reach your Pocket ID instance and vice versa for this to work correctly**
-
-## Pocket ID Setup
-
-1. In Pocket-ID create a new OIDC Client, name it i.e. `Cloudflare Zero Trust`.
-2. Set a logo for this OIDC Client if you would like too.
-3. Set the callback URL to: `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback`.
-4. Copy the Client ID, Client Secret, Authorization URL, Token URL, and Certificate URL for the next steps.
-
-## Cloudflare Zero Trust Setup
-
-1. Login to Cloudflare Zero Trust [Dashboard](https://one.dash.cloudflare.com/).
-2. Navigate to Settings > Authentication > Login Methods.
-3. Click `Add New` under login methods.
-4. Create a name for the new login method.
-5. Paste in the `Client ID` from Pocket ID into the `App ID` field.
-6. Paste the `Client Secret` from Pocket ID into the `Client Secret` field.
-7. Paste the `Authorization URL` from Pocket ID into the `Auth URL` field.
-8. Paste the `Token URL` from Pocket ID into the `Token URL` field.
-9. Paste the `Certificate URL` from Pocket ID into the `Certificate URL` field.
-10. Save the new login method and test to make sure it works with cloudflare.
--- a/docs/docs/client-examples/freshrss.md
+++ b/docs/docs/client-examples/freshrss.md
@@ -1,63 +0,0 @@
---
-id: freshrss
---
-
-# FreshRSS
-
-The following example variables are used, and should be replaced with your actual URLs.
-
- `freshrss.example.com` (The URL of your Proxmox instance.)
- `id.example.com` (The URL of your Pocket ID instance.)
-
-## Pocket ID Setup
-
-1. In Pocket ID create a new OIDC Client, name it, for example, `FreshRSS`.
-2. Set a logo for this OIDC Client if you would like to.
-3. Set the callback URL to: `https://freshrss.example.com`.
-4. Copy the `Client ID`, `Client Secret`, and `OIDC Discovery URL` for use in the next steps.
-
-## FreshRSS Setup
-
-See [FreshRSS’ OpenID Connect documentation](16_OpenID-Connect.md) for general OIDC settings.
-
-This is an example docker-compose file for FreshRSS with OIDC enabled.
-
-```yaml
-services:
-  freshrss:
-    image: freshrss/freshrss:1.25.0
-    container_name: freshrss
-    ports:
-      - 8080:80
-    volumes:
-      - /freshrss_data:/var/www/FreshRSS/data
-      - /freshrss_extensions:/var/www/FreshRSS/extensions
-    environment:
-      CRON_MIN: 1,31
-      TZ: Etc/UTC
-      OIDC_ENABLED: 1
-      OIDC_CLIENT_ID: <POCKET_ID_CLIENT_ID>
-      OIDC_CLIENT_SECRET: <POCKET_ID_SECRET>
-      OIDC_PROVIDER_METADATA_URL: https://id.example.com/.well-known/openid-configuration
-      OIDC_SCOPES: openid email profile
-      OIDC_X_FORWARDED_HEADERS: X-Forwarded-Proto X-Forwarded-Host
-      OIDC_REMOTE_USER_CLAIM: preferred_username
-    restart: unless-stopped
-    networks:
-      - freshrss
-networks:
-  freshrss:
-    name: freshrss
-```
-
-:::important
-The Username used in Pocket ID must match the Username used in FreshRSS **exactly**. This also applies to case sensitivity. As of version `0.24` of Pocket ID all Usernames are required to be entirely lowercase. FreshRSS allows for uppercase. If a Pocket ID Username is `amanda` and your FreshRSS Username is `Amanda`, you will get a 403 error in FreshRSS and be unable to login. As of version `1.25` of FreshRSS, you are unable to change your username in the GUI. To change your FreshRSS username to lowercase or to match your Pocket ID username, you must nagivate to your FreshRSS volume location. Go to `data/users/` and change the folder for your user to the matching username in Pocket ID, then restart the FreshRSS container to apply the changes.
-:::
-
-## Complete OIDC Setup
-
-If you are setting up a new instance of FreshRSS, simply start the container with the OIDC variables and navigate to your FreshRSS URL.
-
-If you are adding OIDC to an existing FreshRSS instance, recreate the container with the docker-compose file with the OIDC variables in it and navigate to your FreshRSS URL. Go to `Settings > Authentication` and change the Authentication method to **HTTP** and hit Submit. Logout to test your OIDC connection.
-
-If you have an error with Pocket ID or are unable to login to your FreshRSS account, you can revert to password login by editing your `config.php` file for FreshRSS. Find the value for `auth_type` and change from `http_auth` to `form`. Restart the FreshRSS container to revert to password login.
--- a/docs/docs/client-examples/gitea.md
+++ b/docs/docs/client-examples/gitea.md
@@ -1,30 +0,0 @@
---
-id: gitea
---
-
-# Gitea
-
-## Pocket ID Setup
-
-1. In Pocket ID, create a new OIDC client named `Gitea` (or any name you prefer).  
-2. (Optional) Set a logo for the OIDC client.  
-3. Set the callback URL to: `https://<Gitea Host>/user/oauth2/PocketID/callback`  
-4. Copy the `Client ID`, `Client Secret`, and `OIDC Discovery URL` for the next steps.  
-
-## Gitea Setup
-
-1. Log in to Gitea as an admin.  
-2. Go to **Site Administration → Identity & Access → Authentication Sources**.  
-3. Click **Add Authentication Source**.  
-4. Set **Authentication Type** to `OAuth2`.  
-5. Set **Authentication Name** to `PocketID`.  
-   :::important  
-   If you change this name, update the callback URL in Pocket ID to match.  
-   :::  
-6. Set **OAuth2 Provider** to `OpenID Connect`.  
-7. Enter the `Client ID` into the **Client ID (Key)** field.  
-8. Enter the `Client Secret` into the **Client Secret** field.  
-9. Enter the `OIDC Discovery URL` into the **OpenID Connect Auto Discovery URL** field.  
-10. Enable **Skip local 2FA**.  
-11. Set **Additional Scopes** to `openid email profile`.  
-12. Save the settings and test the OAuth login.  
--- a/docs/docs/client-examples/grist.md
+++ b/docs/docs/client-examples/grist.md
@@ -1,22 +0,0 @@
---
-id: grist
---
-
-# Grist
-
-## Pocket ID Setup
-1. In Pocket-ID create a new OIDC Client, name it i.e. `Grist`
-2. Set the callback url to: `https://<Grist Host>/oauth2/callback`
-3. In Grist (Docker/Docker Compose/etc), set these environment variables:
-
-```ini
-GRIST_OIDC_IDP_ISSUER="https://<Pocket ID Host>/.well-known/openid-configuration"
-GRIST_OIDC_IDP_CLIENT_ID="<Client ID from the OIDC Client created in Pocket ID>"
-GRIST_OIDC_IDP_CLIENT_SECRET="<Client Secret from the OIDC Client created in Pocket ID>"
-GRIST_OIDC_SP_HOST="https://<Grist Host>"
-GRIST_OIDC_IDP_SCOPES="openid email profile"  # Default
-GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=true  # Default=false, needs to be true for Pocket Id b/c end_session_endpoint is not implemented
-GRIST_OIDC_IDP_END_SESSION_ENDPOINT="https://<Pocket ID Host>/api/webauthn/logout" # Only set this if GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT=false and you need to define a custom endpoint
-```
-4. Also ensure that the `GRIST_DEFAULT_EMAIL` env variable is set to the same email address as your user profile within Pocket ID
-5. Start/Restart Grist
--- a/docs/docs/client-examples/headscale.md
+++ b/docs/docs/client-examples/headscale.md
@@ -1,34 +0,0 @@
---
-id: headscale
---
-# Headscale
-
-## Create OIDC Client in Pocket ID
-1. Create a new OIDC Client in Pocket ID (e.g., `Headscale`).
-2. Set the callback URL:  `https://<HEADSCALE-DOMAIN>/oidc/callback`
-3. Enable `PKCE`.
-4. Copy the **Client ID** and **Client Secret**.
-
-## Configure Headscale
-> Refer to the example [`config.yaml`](https://github.com/juanfont/headscale/blob/main/config-example.yaml) for full OIDC configuration options.
-
-Add the following to `config.yaml`:
-
-```yaml
-oidc:
-  issuer: "https://<POCKET-ID-DOMAIN>"
-  client_id: "<CLIENT-ID>"
-  client_secret: "<CLIENT-SECRET>"
-  pkce:
-    enabled: true
-    method: S256
-```
-
-### (Optional) Restrict Access to Certain Groups
-To allow only specific groups, add:
-
-```yaml
-  scope: ["openid", "profile", "email", "groups"]
-  allowed_groups:
-    - <POCKET-ID-GROUP-NAME> #example: headscale 
-```
--- a/docs/docs/client-examples/hoarder.md
+++ b/docs/docs/client-examples/hoarder.md
@@ -1,25 +0,0 @@
---
-id: hoarder
---
-
-# Hoarder
-
-1. In Pocket-ID create a new OIDC Client, name it i.e. `Hoarder`
-2. Set the callback url to: `https://<your-hoarder-subdomain>.<your-domain>/api/auth/callback/custom`
-3. Open your `.env` file from your Hoarder compose and add these lines:
-
-```ini
-  OAUTH_WELLKNOWN_URL = https://<your-pocket-id-subdomain>.<your-domain>/.well-known/openid-configuration
-  OAUTH_CLIENT_SECRET = <client secret from the created OIDC client>
-  OAUTH_CLIENT_ID = <client id from the created OIDC client>
-  OAUTH_PROVIDER_NAME = Pocket-Id
-  NEXTAUTH_URL = https:///<your-hoarder-subdomain>.<your-domain>
-
-```
-
-4. Optional: If you like to disable password authentication and link your existing hoarder account with your pocket-id identity
-
-```ini
-  DISABLE_PASSWORD_AUTH	= true
-  OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING = true
-```
--- a/docs/docs/client-examples/imgs/jellyfin_img.png
+++ b/docs/docs/client-examples/imgs/jellyfin_img.png
--- a/docs/docs/client-examples/imgs/jellyfin_img2.png
+++ b/docs/docs/client-examples/imgs/jellyfin_img2.png
--- a/docs/docs/client-examples/imgs/jellyfin_img3.png
+++ b/docs/docs/client-examples/imgs/jellyfin_img3.png
--- a/docs/docs/client-examples/immich.md
+++ b/docs/docs/client-examples/immich.md
@@ -1,26 +0,0 @@
---
-id: immich
---
-# Immich
-
-## Create OIDC Client in Pocket ID
-1. Create a new OIDC Client in Pocket ID (e.g., `immich`).
-2. Set the callback URLs:  
-    ```
-    https://<IMMICH-DOMAIN>/auth/login
-    https://<IMMICH-DOMAIN>/user-settings
-    app.immich:///oauth-callback
-    ```
-4. Copy the **Client ID**, **Client Secret**, and **OIDC Discovery URL**.
-
-## Configure Immich
-1. Open Immich and navigate to:
-   **`Administration > Settings > Authentication Settings > OAuth`**
-2. Enable **Login with OAuth**.
-3. Fill in the required fields:
-   - **Issuer URL**: Paste the `Authorization URL` from Pocket ID.
-   - **Client ID**: Paste the `Client ID` from Pocket ID.
-   - **Client Secret**: Paste the `Client Secret` from Pocket ID.
-4. *(Optional)* Change `Button Text` to `Login with Pocket ID`.
-5. Save the settings.
-6. Test the OAuth login to ensure it works.
--- a/docs/docs/client-examples/jellyfin.md
+++ b/docs/docs/client-examples/jellyfin.md
@@ -1,63 +0,0 @@
---
-id: jellyfin
---
-
-# Jellyfin
-
-> Due to the current limitations of the Jellyfin SSO plugin, this integration will only work in a browser. When tested, the Jellyfin app did not work and displayed an error, even when custom menu buttons were created.
-
-> To view the original references and a full list of capabilities, please visit the [Jellyfin SSO OpenID Section](https://github.com/9p4/jellyfin-plugin-sso?tab=readme-ov-file#openid).
-
-## Requirements
-
- [Jellyfin Server](https://jellyfin.org/downloads/server)
- [Jellyfin SSO Plugin](https://github.com/9p4/jellyfin-plugin-sso)
- HTTPS connection to your Jellyfin server
-
-## OIDC - Pocket ID Setup
-
-To start, we need to create a new SSO resource in our Jellyfin application.
-
-> Replace the `JELLYFINDOMAIN` and `PROVIDER` elements in the URL.
-
-1. Log into the admin panel, and go to OIDC Clients -> Add OIDC Client.
-2. **Name**: Jellyfin (or any name you prefer)
-3. **Callback URL**: `https://JELLYFINDOMAIN.com/sso/OID/redirect/PROVIDER`
-4. For this example, we’ll be using the provider named "test_resource."
-5. Click **Save**. Keep the page open, as we will need the OID client ID and OID secret.
-
-## OIDC Client - Jellyfin SSO Resource
-
-1. Visit the plugin page (<i>Administration Dashboard -> My Plugins -> SSO-Auth</i>).
-2. Enter the <i>OID Provider Name (we used "test_resource" as our name in the callback URL), Open ID, OID Secret, and mark it as enabled.</i>
-3. The following steps are optional based on your needs. In this guide, we’ll be managing only regular users, not admins.
-
-![img.png](imgs/jellyfin_img.png)
-
-> To manage user access through groups, follow steps **4, 5, and 6**. Otherwise, leave it blank and skip to step 7.
-
-![img2.png](imgs/jellyfin_img2.png)
-
-4. Under <i>Roles</i>, type the name of the group you want to use. **Note:** This must be the group name, not the label. Double-check in Pocket ID, as an incorrect name will lock users out.
-5. Skip every field until you reach the **Role Claim** field, and type `groups`.
-   > This step is crucial if you want to manage users through groups.
-6. Repeat the above step under **Request Additional Scopes**. This will pull the group scope during the sign-in process; otherwise, the previous steps won’t work.
-
-![img3.png](imgs/jellyfin_img3.png)
-
-7. Skip the remaining fields until you reach **Scheme Override**. Enter `https` here. If omitted, it will attempt to use HTTP first, which will break as WebAuthn requires an HTTPS connection.
-8. Click **Save** and restart Jellyfin.
-
-## Optional Step - Custom Home Button
-
-Follow the [guide to create a login button on the login page](https://github.com/9p4/jellyfin-plugin-sso?tab=readme-ov-file#creating-a-login-button-on-the-main-page) to add a custom button on your sign-in page. This step is optional, as you could also provide the sign-in URL via a bookmark or other means.
-
-## Signing into Your Jellyfin Instance
-
-Done! You have successfully set up SSO for your Jellyfin instance using Pocket ID.
-
-> **Note:** Sometimes there may be a brief delay when using the custom menu option. This is related to the Jellyfin plugin and not Pocket ID.
-
-If your users already have accounts, as long as their Pocket ID username matches their Jellyfin ID, they will be logged in automatically. Otherwise, a new user will be created with access to all of your folders. Of course, you can modify this in your configuration as desired.
-
-This setup will only work if sign-in is performed using the `https://jellyfin.example.com/sso/OID/start/PROVIDER` URL. This URL initiates the SSO plugin and applies all the configurations we completed above.
--- a/docs/docs/client-examples/memos.md
+++ b/docs/docs/client-examples/memos.md
@@ -1,28 +0,0 @@
---
-id: memos
---
-
-# Memos
-
-## Pocket ID Setup
-
-1. In Pocket ID, create a new OIDC client named `Memos` (or any name you prefer).  
-2. (Optional) Set a logo for the OIDC client.  
-3. Set the callback URL to: `https://< Memos Host >/auth/callback`  
-4. Copy the `Client ID`, `Client Secret`, `Authorization endpoint`, `Token endpoint`, and `User endpoint` for the next steps.  
-
-## Gitea Setup
-
-1. Log in to Memos as an admin.
-2. Go to **Settings → SSO → Create**.  
-3. Set **Template** to `Custom`.   
-4. Enter the `Client ID` into the **Client ID** field.  
-5. Enter the `Client Secret` into the **Client secret** field.  
-6. Enter the `Authorization URL` into the **Authorization endpoint** field.
-7. Enter the `Token URL` into the **Token endpoint** field.
-8. Enter the `Userinfo URL` into the **User endpoint** field.
-11. Set **Scopes** to `openid email profile`.
-12. Set **Identifier** to `preferred_username`
-13. Set **Display Name** to `profile`.
-14. Set **Email** to `email`.
-15. Save the settings and test the OAuth login.  
--- a/docs/docs/client-examples/netbox.md
+++ b/docs/docs/client-examples/netbox.md
@@ -1,46 +0,0 @@
---
-id: netbox
---
-
-# Netbox
-
-**This guide does not currently show how to map groups in netbox from OIDC claims**
-
-The following example variables are used, and should be replaced with your actual URLS.
-
- netbox.example.com (The url of your netbox instance.)
- id.example.com (The url of your Pocket ID instance.)
-
-## Pocket ID Setup
-
-1. In Pocket-ID create a new OIDC Client, name it i.e. `Netbox`.
-2. Set a logo for this OIDC Client if you would like too.
-3. Set the callback URL to: `https://netbox.example.com/oauth/complete/oidc/`.
-4. Copy the `Client ID`, and the `Client Secret` for use in the next steps.
-
-## Netbox Setup
-
-This guide assumes you are using the git based install of netbox.
-
-1. On your netbox server navigate to `/opt/netbox/netbox/netbox`
-2. Add the following to your `configuration.py` file:
-
-```python
-# Remote authentication support
-REMOTE_AUTH_ENABLED = True
-REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'
-REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
-REMOTE_AUTH_USER_FIRST_NAME = 'HTTP_REMOTE_USER_FIRST_NAME'
-REMOTE_AUTH_USER_LAST_NAME = 'HTTP_REMOTE_USER_LAST_NAME'
-REMOTE_AUTH_USER_EMAIL = 'HTTP_REMOTE_USER_EMAIL'
-REMOTE_AUTH_AUTO_CREATE_USER = True
-REMOTE_AUTH_DEFAULT_GROUPS = []
-REMOTE_AUTH_DEFAULT_PERMISSIONS = {}
-
-SOCIAL_AUTH_OIDC_ENDPOINT = 'https://id.example.com'
-SOCIAL_AUTH_OIDC_KEY = '<client id from the first part of this guide>'
-SOCIAL_AUTH_OIDC_SECRET = '<client id from the first part of this guide>'
-LOGOUT_REDIRECT_URL = 'https://netbox.example.com'
-```
-
-3. Save the file and restart netbox: `sudo systemctl start netbox netbox-rq`
--- a/docs/docs/client-examples/open-webui.md
+++ b/docs/docs/client-examples/open-webui.md
@@ -1,17 +0,0 @@
---
-id: open-webui
---
-
-# Open WebUI
-
-1. In Pocket-ID, create a new OIDC Client, name it i.e. `Open WebUI`.
-2. Set the callback URL to: `https://openwebui.domain/oauth/oidc/callback`
-3. Add the following to your docker `.env` file for Open WebUI:
-
-```ini
-  ENABLE_OAUTH_SIGNUP=true
-  OAUTH_CLIENT_ID=<client id from pocket ID>
-  OAUTH_CLIENT_SECRET=<client secret from pocket ID>
-  OAUTH_PROVIDER_NAME=Pocket ID
-  OPENID_PROVIDER_URL=https://<your pocket id url>/.well-known/openid-configuration
-```
--- a/docs/docs/client-examples/pgadmin.md
+++ b/docs/docs/client-examples/pgadmin.md
@@ -1,42 +0,0 @@
---
-id: pgadmin
---
-
-# pgAdmin
-
-The following example variables are used, and should be replaced with your actual URLS.
-
- pgadmin.example.com (The url of your pgAdmin instance.)
- id.example.com (The url of your Pocket ID instance.)
-
-## Pocket ID Setup
-
-1. In Pocket-ID create a new OIDC Client, name it i.e. `pgAdmin`.
-2. Set a logo for this OIDC Client if you would like too.
-3. Set the callback URL to: `https://pgadmin.example.com/oauth2/authorize`.
-4. Copy the `Client ID`, `Client Secret`, `Authorization URL`, `Userinfo URL`, `Token URL`, and `OIDC Discovery URL` for use in the next steps.
-
-# pgAdmin Setup
-
-1. Add the following to the `config_local.py` file for pgAdmin:
-
-**Make sure to replace https://id.example.com with your actual Pocket ID URL**
-
-```python
-AUTHENTICATION_SOURCES = ['oauth2', 'internal'] # This keeps internal authentication enabled as well as oauth2
-OAUTH2_AUTO_CREATE_USER = True
-OAUTH2_CONFIG = [{
-        'OAUTH2_NAME' : 'pocketid',
-        'OAUTH2_DISPLAY_NAME' : 'Pocket ID',
-        'OAUTH2_CLIENT_ID' : '<client id from the earlier step>',
-        'OAUTH2_CLIENT_SECRET' : '<client secret from the earlier step>',
-        'OAUTH2_TOKEN_URL' : 'https://id.example.com/api/oidc/token',
-        'OAUTH2_AUTHORIZATION_URL' : 'https://id.example/authorize',
-        'OAUTH2_API_BASE_URL' : 'https://id.example.com',
-        'OAUTH2_USERINFO_ENDPOINT' : 'https://id.example.com/api/oidc/userinfo',
-        'OAUTH2_SERVER_METADATA_URL' : 'https://id.example.com/.well-known/openid-configuration',
-        'OAUTH2_SCOPE' : 'openid email profile',
-        'OAUTH2_ICON' : 'fa-openid',
-        'OAUTH2_BUTTON_COLOR' : '#fd4b2d' # Can select any color you would like here.
-}]
-```
--- a/docs/docs/client-examples/portainer.md
+++ b/docs/docs/client-examples/portainer.md
@@ -1,38 +0,0 @@
---
-id: portainer
---
-
-# Portainer
-
-**This requires Portainers Business Edition**
-
-The following example variables are used, and should be replaced with your actual URLS.
-
- portainer.example.com (The url of your Portainer instance.)
- id.example.com (The url of your Pocket ID instance.)
-
-## Pocket ID Setup
-
-1. In Pocket-ID create a new OIDC Client, name it i.e. `Portainer`.
-2. Set a logo for this OIDC Client if you would like too.
-3. Set the callback URL to: `https://portainer.example.com/`.
-4. Copy the `Client ID`, `Client Secret`, `Authorization URL`, `Userinfo URL`, and `Token URL` for use in the next steps.
-
-# Portainer Setup
-
- While initally setting up OAuth in Portainer, its recommended to keep the `Hide internal authentication prompt` set to `Off` incase you need a fallback login
- This guide does **NOT** cover how to setup group claims in Portainer.
-
-1. Open the Portainer web interface and navigate to: `Settings > Authentication`
-2. Select `Custom OAuth Provider`
-3. Paste the `Client ID` from Pocket ID into the `Client ID` field in Portainer.
-4. Paste the `Client Secret` from Pocket ID into the `Client Secret` field in Portainer.
-5. Paste the `Authorization URL` from Pocket ID into the `Authorization URL` field in Portainer.
-6. Paste the `Token URL` from Pocket ID into the `Access token URL` field in Portainer.
-7. Paste the `Userinfo URL` from Pocket ID into the `Resource URL` field in Portainer.
-8. Set the `Redirect URL` to `https://portainer.example.com`
-9. Set the `Logout URL` to `https://portainer.example.com`
-10. Set the `User identifier` field to `preferred_username`. (This will use the users username vs the email)
-11. Set the `Scopes` field to: `email openid profile`
-12. Set `Auth Style` to `Auto detect`
-13. Save the settings and test the new OAuth Login.
--- a/docs/docs/client-examples/proxmox.md
+++ b/docs/docs/client-examples/proxmox.md
@@ -1,30 +0,0 @@
---
-id: proxmox
---
-
-# Proxmox
-
-The following example variables are used, and should be replaced with your actual URLs.
-
- `proxmox.example.com` (The URL of your Proxmox instance.)
- `id.example.com` (The URL of your Pocket ID instance.)
-
-## Pocket ID Setup
-
-1. In Pocket ID create a new OIDC Client, name it, for example, `Proxmox`.
-2. Set a logo for this OIDC Client if you would like to.
-3. Set the callback URL to: `https://proxmox.example.com`.
-4. Copy the `Client ID`, and the `Client Secret` for use in the next steps.
-
-## Proxmox Setup
-
-1. Open the Proxmox console and navigate to: `Datacenter` -> `Permissions` -> `Realms`.
-2. Add a new `OpenID Connect Server` Realm.
-3. Enter `https://id.example.com` for the `Issuer URL`.
-4. Enter a name for the realm of your choice, for example, `PocketID`.
-5. Paste the `Client ID` from Pocket ID into the `Client ID` field in Proxmox.
-6. Paste the `Client Secret` from Pocket ID into the `Client Key` field in Proxmox.
-7. You can check the `Default` box if you want this to be the default realm Proxmox uses when signing in.
-8. Check the `Autocreate Users` checkbox. (This will automatically create users in Proxmox if they don't exist).
-9. Select `username` for the `Username Claim` dropdown. (This is a personal preference and controls how the username is shown, for example: `username = username@PocketID` or `email = username@example@PocketID`).
-10. Leave the rest as defaults and click `OK` to save the new realm.
--- a/docs/docs/client-examples/semaphore-ui.md
+++ b/docs/docs/client-examples/semaphore-ui.md
@@ -1,28 +0,0 @@
---
-id: semaphore-ui
---
-
-# Semaphore UI
-
-1. In Pocket-ID create a new OIDC Client, name it i.e. `Semaphore UI`.
-2. Set the callback URL to: `https://<your-semaphore-ui-url>/api/auth/oidc/pocketid/redirect/`.
-3. Add the following to your `config.json` file for Semaphore UI:
-
-```json
-"oidc_providers": {
-    "pocketid": {
-        "display_name": "Sign in with PocketID",
-        "provider_url": "https://<your-pocket-id-url>",
-        "client_id": "<client-id-from-pocket-id>",
-        "client_secret": "<client-secret-from-pocket-id>",
-        "redirect_url": "https://<your-semaphore-ui-url>/api/auth/oidc/pocketid/redirect/",
-        "scopes": [
-            "openid",
-            "profile",
-            "email"
-        ],
-        "username_claim": "email",
-        "name_claim": "given_name"
-    }
-}
-```
--- a/docs/docs/client-examples/vikunja.md
+++ b/docs/docs/client-examples/vikunja.md
@@ -1,22 +0,0 @@
---
-id: vikunja
---
-
-# Vikunja
-
-1. In Pocket-ID create a new OIDC Client, name it i.e. `Vikunja`
-2. Set the callback url to: `https://<your-vikunja-subdomain>.<your-domain>/auth/openid/pocketid`
-3. In `Vikunja` ensure to map a config file to your container, see [here](https://vikunja.io/docs/config-options/#using-a-config-file-with-docker-compose)
-4. Add or set the following content to the `config.yml` file:
-
-```yml
-auth:
-  openid:
-    enabled: true
-    redirecturl: https://<your-vikunja-subdomain>.<your-domain>/auth/openid/pocketid
-    providers:
-      - name: Pocket-Id
-        authurl: https://<your-pocket-id-subdomain>.<your-domain>
-        clientid: <client id from the created OIDC client>
-        clientsecret: <client secret from the created OIDC client>
-```
--- a/docs/docs/configuration/environment-variables.md
+++ b/docs/docs/configuration/environment-variables.md
@@ -1,25 +0,0 @@
---
-id: environment-variables
---
-
-# Environment Variables
-
-Below are all the environment variables supported by Pocket ID. These should be configured in your `.env ` file. 
-
-Be cautious when modifying environment variables that are not recommended to change.
-
-| Variable                     | Default Value             | Recommended to change | Description                                                                                                                                                                                                                                                                                                                                                               |
-| ---------------------------- | ------------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `PUBLIC_APP_URL`             | `http://localhost`        | yes                   | The URL where you will access the app.                                                                                                                                                                                                                                                                                                                                    |
-| `TRUST_PROXY`                | `false`                   | yes                   | Whether the app is behind a reverse proxy.                                                                                                                                                                                                                                                                                                                                |
-| `MAXMIND_LICENSE_KEY`        | `-`                       | yes                   | License Key for the GeoLite2 Database. The license key is required to retrieve the geographical location of IP addresses in the audit log. If the key is not provided, IP locations will be marked as "unknown." You can obtain a license key for free [here](https://www.maxmind.com/en/geolite2/signup).                                                                |
-| `PUID` and `PGID`            | `1000`                    | yes                   | The user and group ID of the user who should run Pocket ID inside the Docker container and owns the files that are mounted with the volume. You can get the `PUID` and `GUID` of your user on your host machine by using the command `id`. For more information see [this article](https://docs.linuxserver.io/general/understanding-puid-and-pgid/#using-the-variables). |
-| `DB_PROVIDER`                | `sqlite`                  | no                    | The database provider you want to use. Currently `sqlite` and `postgres` are supported.                                                                                                                                                                                                                                                                                   |
-| `SQLITE_DB_PATH`             | `data/pocket-id.db`       | no                    | The path to the SQLite database. This gets ignored if you didn't set `DB_PROVIDER` to `sqlite`.                                                                                                                                                                                                                                                                           |
-| `POSTGRES_CONNECTION_STRING` | `-`                       | no                    | The connection string to your Postgres database. This gets ignored if you didn't set `DB_PROVIDER` to `postgres`. A connection string can look like this: `postgresql://user:password@host:5432/pocket-id`.                                                                                                                                                               |
-| `UPLOAD_PATH`                | `data/uploads`            | no                    | The path where the uploaded files are stored.                                                                                                                                                                                                                                                                                                                             |
-| `INTERNAL_BACKEND_URL`       | `http://localhost:8080`   | no                    | The URL where the backend is accessible.                                                                                                                                                                                                                                                                                                                                  |
-| `GEOLITE_DB_PATH`            | `data/GeoLite2-City.mmdb` | no                    | The path where the GeoLite2 database should be stored.                                                                                                                                                                                                                                                                                                                    |
-| `CADDY_PORT`                 | `80`                      | no                    | The port on which Caddy should listen. Caddy is only active inside the Docker container. If you want to change the exposed port of the container then you sould change this variable.                                                                                                                                                                                     |
-| `PORT`                       | `3000`                    | no                    | The port on which the frontend should listen.                                                                                                                                                                                                                                                                                                                             |
-| `BACKEND_PORT`               | `8080`                    | no                    | The port on which the backend should listen                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                                                            |
--- a/docs/docs/configuration/ldap.md
+++ b/docs/docs/configuration/ldap.md
@@ -1,40 +0,0 @@
---
-id: ldap
---
-
-# LDAP Synchronization
-
-Pocket ID can sync users and groups from an LDAP Source (lldap, OpenLDAP, Active Directory, etc.).
-
-### LDAP Sync
-
- The LDAP Service will sync on Pocket ID startup and every hour once enabled from the Web UI.
- Users or groups synced from LDAP can **NOT** be edited from the Pocket ID Web UI.
-
-### Generic LDAP Setup
-
-1. Follow the installation guide [here](/setup/installation).
-2. Once you have signed in with the initial admin account, navigate to the Application Configuration section at `https://pocket.id/settings/admin/application-configuration`.
-3. Client Configuration Setup
-
-| LDAP Variable      | Example Value                      | Description                                                   |
-| ------------------ | ---------------------------------- | ------------------------------------------------------------- |
-| LDAP URL           | ldaps://ldap.mydomain.com:636      | The URL with port to connect to LDAP                          |
-| LDAP Bind DN       | cn=admin,ou=users,dc=domain,dc=com | The full DN value for the user with search privileges in LDAP |
-| LDAP Bind Password | securepassword                     | The password for the Bind DN account                          |
-| LDAP Search Base   | dc=domain,dc=com                   | The top-level path to search for users and groups             |
-
-<br />
-
-4. LDAP Attribute Configuration Setup
-
-| LDAP Variable                     | Example Value      | Description                                                                      |
-| --------------------------------- | ------------------ | -------------------------------------------------------------------------------- |
-| User Unique Identifier Attribute  | uuid               | The LDAP attribute to uniquely identify the user, **this should never change**   |
-| Username Attribute                | uid                | The LDAP attribute to use as the username of users                               |
-| User Mail Attribute               | mail               | The LDAP attribute to use for the email of users                                 |
-| User First Name Attribute         | givenName          | The LDAP attribute to use for the first name of users                            |
-| User Last Name Attribute          | sn                 | The LDAP attribute to use for the last name of users                             |
-| Group Unique Identifier Attribute | uuid               | The LDAP attribute to uniquely identify the groups, **this should never change** |
-| Group Name Attribute              | uid                | The LDAP attribute to use as the name of synced groups                           |
-| Admin Group Name                  | \_pocket_id_admins | The group name to use for admin permissions for LDAP users                       |
--- a/docs/docs/guides/proxy-services.md
+++ b/docs/docs/guides/proxy-services.md
@@ -1,183 +0,0 @@
---
-id: proxy-services
---
-
-# Proxy Services
-
-The goal of Pocket ID is to function exclusively as an OIDC provider. As such, we don't have a built-in proxy provider. However, you can use other tools that act as a middleware to protect your services and support OIDC as an authentication provider.
-
-There are two ways to do this:
-
- Implement OIDC into your reverse proxy
- Use [OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/)
-
-## Reverse Proxy
-
-Almost every reverse proxy somehow supports protecting your services with OIDC. Currently only Caddy is documented but you can search on Google for your reverse proxy and OIDC.
-
-We would really appreciate if you contribute to this documentation by adding your reverse proxy and how to configure it with Pocket ID.
-
-### Caddy
-
-With [caddy-security](https://github.com/greenpau/caddy-security) you can easily protect your services with Pocket ID.
-
-#### 1. Create a new OIDC client in Pocket ID.
-
-Create a new OIDC client in Pocket ID by navigating to `https://<your-domain>/settings/admin/oidc-clients`. Now enter `https://<domain-of-proxied-service>/auth/oauth2/generic/authorization-code-callback` as the callback URL. After adding the client, you will obtain the client ID and client secret, which you will need in the next step.
-
-#### 2. Install caddy-security
-
-Run the following command to install caddy-security:
-
-```bash
-caddy add-package github.com/greenpau/caddy-security
-```
-
-#### 3. Create your Caddyfile
-
-```bash
-{
-  	# Port to listen on
-	http_port 443
-
-  	# Configure caddy-security.
-	order authenticate before respond
-	security {
-		oauth identity provider generic {
-			delay_start 3
-			realm generic
-			driver generic
-			client_id client-id-from-pocket-id # Replace with your own client ID
-			client_secret client-secret-from-pocket-id # Replace with your own client secret
-			scopes openid email profile
-			base_auth_url http://localhost
-			metadata_url http://localhost/.well-known/openid-configuration
-		}
-
-		authentication portal myportal {
-			crypto default token lifetime 3600 # Seconds until you have to re-authenticate
-			enable identity provider generic
-			cookie insecure off # Set to "on" if you're not using HTTPS
-
-			transform user {
-				match realm generic
-				action add role user
-			}
-		}
-
-		authorization policy mypolicy {
-			set auth url /auth/oauth2/generic
-			allow roles user
-			inject headers with claims
-		}
-	}
-}
-
-https://<domain-of-your-service> {
-	@auth {
-		path /auth/oauth2/generic
-		path /auth/oauth2/generic/authorization-code-callback
-    }
-
-	route @auth {
-		authenticate with myportal
-	}
-
-	route /* {
-		authorize with mypolicy
-		reverse_proxy http://<service-to-be-proxied>:<port> # Replace with your own service
-	}
-}
-```
-
-For additional configuration options, refer to the official [caddy-security documentation](https://docs.authcrunch.com/docs/intro).
-
-#### 4. Start Caddy
-
-```bash
-caddy run --config Caddyfile
-```
-
-#### 5. Access the service
-
-Your service should now be protected by Pocket ID.
-
-## OAuth2 Proxy
-
-### Docker Installation
-
-#### 1. Add OAuth2 proxy to the service that should be proxied.
-
-To configure OAuth2 Proxy with Pocket ID, you have to add the following service to the service that should be proxied. E.g., if [Uptime Kuma](https://github.com/louislam/uptime-kuma) should be proxied, you can add the following service to the `docker-compose.yml` of Uptime Kuma:
-
-```yaml
-# Example with Uptime Kuma
-# uptime-kuma:
-#  image: louislam/uptime-kuma
-oauth2-proxy:
-  image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-  command: --config /oauth2-proxy.cfg
-  volumes:
-    - "./oauth2-proxy.cfg:/oauth2-proxy.cfg"
-  ports:
-    - 4180:4180
-```
-
-#### 2. Create a new OIDC client in Pocket ID.
-
-Create a new OIDC client in Pocket ID by navigating to `https://<your-domain>/settings/admin/oidc-clients`. Now enter `https://<domain-of-proxied-service>/oauth2/callback` as the callback URL. After adding the client, you will obtain the client ID and client secret, which you will need in the next step.
-
-#### 3. Create a configuration file for OAuth2 Proxy.
-
-Create a configuration file named `oauth2-proxy.cfg` in the same directory as your `docker-compose.yml` file of the service that should be proxied (e.g. Uptime Kuma). This file will contain the necessary configurations for OAuth2 Proxy to work with Pocket ID.
-
-Here is the recommend `oauth2-proxy.cfg` configuration:
-
-```cfg
-# Replace with your own credentials
-client_id="client-id-from-pocket-id"
-client_secret="client-secret-from-pocket-id"
-oidc_issuer_url="https://<your-pocket-id-domain>"
-
-# Replace with a secure random string
-cookie_secret="random-string"
-
-# Upstream servers (e.g http://uptime-kuma:3001)
-upstreams="http://<service-to-be-proxied>:<port>"
-
-# Additional Configuration
-provider="oidc"
-scope = "openid email profile groups"
-
-# If you are using a reverse proxy in front of OAuth2 Proxy
-reverse_proxy = true
-
-# Email domains allowed for authentication
-email_domains = ["*"]
-
-# If you are using HTTPS
-cookie_secure="true"
-
-# Listen on all interfaces
-http_address="0.0.0.0:4180"
-```
-
-For additional configuration options, refer to the official [OAuth2 Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview).
-
-#### 4. Start the services.
-
-After creating the configuration file, you can start the services using Docker Compose:
-
-```bash
-docker compose up -d
-```
-
-#### 5. Access the service.
-
-You can now access the service through OAuth2 Proxy by visiting `http://localhost:4180`.
-
-### Standalone Installation
-
-Setting up OAuth2 Proxy with Pocket ID without Docker is similar to the Docker setup. As the setup depends on your environment, you have to adjust the steps accordingly but is should be similar to the Docker setup.
-
-You can visit the official [OAuth2 Proxy documentation](https://oauth2-proxy.github.io/oauth2-proxy/installation) for more information.
--- a/docs/docs/introduction.md
+++ b/docs/docs/introduction.md
@@ -1,24 +0,0 @@
---
-id: introduction
---
-
-# Introduction
-
-Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.
-
-The goal of Pocket ID is to be a simple and easy-to-use. There are other self-hosted OIDC providers like [Keycloak](https://www.keycloak.org/) or [ORY Hydra](https://www.ory.sh/hydra/) but they are often too complex for simple use cases.
-
-Additionally, what makes Pocket ID special is that it only supports [passkey](https://www.passkeys.io/) authentication, which means you don’t need a password. Some people might not like this idea at first, but I believe passkeys are the future, and once you try them, you’ll love them. For example, you can now use a physical Yubikey to sign in to all your self-hosted services easily and securely.
-
-**_Pocket ID is in its early stages and may contain bugs. There might be OIDC features that are not yet implemented. If you encounter any issues, please open an issue_** [here](https://github.com/stonith404/pocket-id/issues/new?template=bug.yml).
-
-## Get to know Pocket ID
-
-→ [Try the Demo of Pocket ID](https://demo.pocket-id.org)
-
-<img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="700"/>
-
-## Useful Links
- [Installation](/setup/installation)
- [Proxy Services](/guides/proxy-services)
- [Client Examples](/client-examples)
--- a/docs/docs/setup/installation.md
+++ b/docs/docs/setup/installation.md
@@ -1,85 +0,0 @@
---
-id: installation
---
-
-# Installation
-
-# Before you start
-
-Pocket ID requires a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts), meaning it must be served over HTTPS. This is necessary because Pocket ID uses the [WebAuthn API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).
-
-### Installation with Docker (recommended)
-
-1. Download the `docker-compose.yml` and `.env` file:
-
-   ```bash
-    curl -O https://raw.githubusercontent.com/stonith404/pocket-id/main/docker-compose.yml
-
-    curl -o .env https://raw.githubusercontent.com/stonith404/pocket-id/main/.env.example
-   ```
-
-2. Edit the `.env` file so that it fits your needs. See the [environment variables](/configuration/environment-variables) section for more information.
-3. Run `docker compose up -d`
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Proxmox
-
-Run the [helper script](https://community-scripts.github.io/ProxmoxVE/scripts?id=pocketid) as root in your Proxmox shell. 
-
-**Configuration Paths**
- /opt/pocket-id/backend/.env
- /opt/pocket-id/frontend/.env
-
-```bash
-bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/pocketid.sh)"
-```
-
-### Unraid
-
-Pocket ID is available as a template on the Community Apps store.
-
-### Stand-alone Installation
-
-Required tools:
-
- [Node.js](https://nodejs.org/en/download/) >= 22
- [Go](https://golang.org/doc/install) >= 1.23
- [Git](https://git-scm.com/downloads)
- [PM2](https://pm2.keymetrics.io/)
- [Caddy](https://caddyserver.com/docs/install) (optional)
-
-1. Copy the `.env.example` file in the `frontend` and `backend` folder to `.env` and change it so that it fits your needs.
-
-   ```bash
-   cp frontend/.env.example frontend/.env
-   cp backend/.env.example backend/.env
-   ```
-
-2. Run the following commands:
-
-   ```bash
-   git clone https://github.com/stonith404/pocket-id
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start --name pocket-id-caddy caddy -- run --config reverse-proxy/Caddyfile
-   ```
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Elias Schneider	e46471cc2d	release: 0.35.3	2025-02-25 20:34:37 +01:00
Elias Schneider	fde951b543	fix(ldap): sync error if LDAP user collides with an existing user	2025-02-25 20:34:13 +01:00
Kyle Mendell	01a9de0b04	fix: add option to manually select SMTP TLS method (#268 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-02-25 19:10:20 +01:00
Elias Schneider	a1131bca9a	release: 0.35.2	2025-02-24 09:40:48 +01:00
Elias Schneider	9a167d4076	fix: delete profile picture if user gets deleted	2025-02-24 09:40:14 +01:00
Elias Schneider	887c5e462a	fix: updating profile picture of other user updates own profile picture	2025-02-24 09:35:44 +01:00
Elias Schneider	20eba1378e	release: 0.35.1	2025-02-22 14:59:43 +01:00
Elias Schneider	a6ae7ae287	fix: add validation that `PUBLIC_APP_URL` can't contain a path	2025-02-22 14:59:10 +01:00
Elias Schneider	840a672fc3	fix: binary profile picture can't be imported from LDAP	2025-02-22 14:51:21 +01:00
Elias Schneider	7446f853fc	release: 0.35.0	2025-02-19 14:29:24 +01:00
Elias Schneider	652ee6ad5d	feat: add ability to upload a profile picture (#244 )	2025-02-19 14:28:45 +01:00
Elias Schneider	dca9e7a11a	fix: emails do not get rendered correctly in Gmail	2025-02-19 13:54:36 +01:00
Elias Schneider	816c198a42	fix: app config strings starting with a number are parsed incorrectly	2025-02-18 21:36:08 +01:00
Elias Schneider	339837bec4	release: 0.34.0	2025-02-16 18:29:18 +01:00
Kyle Mendell	39b46e99a9	feat: add LDAP group membership attribute (#236 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-02-16 18:27:07 +01:00
Elias Schneider	dc9e64de3d	release: 0.33.0	2025-02-14 17:10:14 +01:00
Elias Schneider	6207e10279	Merge branch 'main' of https://github.com/pocket-id/pocket-id	2025-02-14 17:09:39 +01:00
Elias Schneider	7550333fe2	feat: add end session endpoint (#232 )	2025-02-14 17:09:27 +01:00
Elias Schneider	3de1301fa8	fix: layout of OIDC client details page on mobile	2025-02-14 16:03:17 +01:00
Elias Schneider	c3980d3d28	fix: alignment of OIDC client details	2025-02-14 15:53:30 +01:00
Elias Schneider	4d0fff821e	fix: show "Sync Now" and "Test Email" button even if UI config is disabled	2025-02-14 13:32:01 +01:00
Elias Schneider	2e66211b7f	release: 0.32.0	2025-02-13 21:02:20 +01:00
Giovanni	2071d002fc	feat: add ability to set custom Geolite DB URL	2025-02-13 21:01:43 +01:00
Elias Schneider	0d071694cd	release: 0.31.0	2025-02-12 16:29:43 +01:00
Kyle Mendell	39e403d00f	feat: add warning for only having one passkey configured (#220 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-02-12 16:29:08 +01:00
Elias Schneider	4e858420e9	feat: add ability to override the UI configuration with environment variables	2025-02-12 14:20:52 +01:00
Kyle Mendell	2d78349b38	fix: user linking in ldap group sync (#222 )	2025-02-11 17:25:00 +01:00
Kyle Mendell	9ed2adb0f8	feat: display source in user and group table (#225 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-02-11 17:24:10 +01:00
Elias Schneider	43790dc1be	ci/cd: downgrade ubuntu version of Docker build action runner	2025-02-09 15:16:13 +01:00
Elias Schneider	7fbc356d8d	ci/cd: remove Docker Hub registry	2025-02-09 15:11:10 +01:00
Elias Schneider	9b77e8b7c1	release: 0.30.0	2025-02-08 18:19:11 +01:00
Jonas Claes	bea115866f	feat: update host configuration to allow external access (#218 )	2025-02-08 18:17:57 +01:00
Kyle Mendell	626f87d592	feat: add custom ldap search filters (#216 )	2025-02-08 18:16:57 +01:00
Elias Schneider	0751540d7d	chore: remove docs from repository	2025-02-06 17:22:43 +01:00
Elias Schneider	7c04bda5b7	docs: improve mobile layout of landing page	2025-02-06 16:57:16 +01:00
Elias Schneider	98add37390	docs: add docs root path redirection	2025-02-06 16:50:38 +01:00
Elias Schneider	3dda2e16e9	docs: improve landing page	2025-02-06 16:42:29 +01:00
Kyle Mendell	3a6fce5c4b	docs: add landing page (#203 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-02-06 16:41:44 +01:00
Elias Schneider	07ee087c3d	Merge branch 'main' of https://github.com/pocket-id/pocket-id	2025-02-06 12:12:55 +01:00
Elias Schneider	d66cf70d50	ci/cd: add missing permissions to "Build and Push Docker Image"	2025-02-06 12:12:49 +01:00
RobinMicek	fb8cc0bb22	docs: fix freshrss callback url (#212 )	2025-02-06 07:37:14 +01:00
Elias Schneider	0bae7e4f53	chore: fix old docker image references	2025-02-05 18:46:31 +01:00
Elias Schneider	974b7b3c34	release: 0.29.0	2025-02-05 18:29:08 +01:00
Elias Schneider	15cde6ac66	feat: add JSON support in custom claims	2025-02-05 18:28:21 +01:00
Elias Schneider	e864d5dcbf	feat: add option to disable Caddy in the Docker container	2025-02-05 18:14:49 +01:00
Elias Schneider	c6ab2b252c	chore: replace `stonith404` with `pocket-id` after org migration	2025-02-05 18:08:01 +01:00
Kyle Mendell	7350e3486d	docs: enhance documentation (#205 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-02-05 17:18:01 +01:00
Elias Schneider	96303ded2b	release: 0.28.1	2025-02-04 18:19:20 +01:00
Elias Schneider	d06257ec9b	fix: don't return error page if version info fetching failed	2025-02-04 18:19:06 +01:00
Elias Schneider	19ef4833e9	docs: fix reauthentication in caddy-security example	2025-02-04 17:57:36 +01:00
@@ -1 +1 @@
 .28.0
 .35.3
				`@@ -0,0 +1 @@`
				`ALTER TABLE oidc_clients DROP COLUMN logout_callback_urls;`
				`@@ -0,0 +1 @@`
				`ALTER TABLE oidc_clients ADD COLUMN logout_callback_urls JSONB;`
				`@@ -0,0 +1 @@`
				`UPDATE app_config_variables SET value = 'true' WHERE key = 'smtpTls';`